cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 13

Are duplicate results in custom SQL alert triggers acceptable?

Hello all,

 

I've been attempting to create a custom SQL alert for UDT but I noticed that the default SELECT statement results in duplicate rows. All my JOIN actions just make this worse. Is this acceptable in the Alerting Engine or will this cause issues? I'm attempting to send an alert when a RogueMAC is detected within specific IP Subnets. I believe these duplications are also resulting in the custom SQL variables to sometimes return the code instead of a result. Any guidance and/or knowledge is greatly appreciated!

This returns duplicate rows.
SELECT UDT_RogueMACAlert.MACAddress, UDT_RogueMACAlert.EndpointID FROM UDT_RogueMACAlert
The below just makes it worse.
Left JOIN UDT_IPAddress IPA on IPA.EndPointID = UDT_RogueMacAlert.EndPointID
Left Join UDT_EndpointIP EIP on EIP.IPAddressID = IPA.IPAddressID
Where UDT_RogueMacAlert.Rogue = 1 AND ((IPA.IPAddress like 'x.x.x.%') OR (IPA.IPAddress like 'y.y.y.%'))

0 Kudos
1 Reply
Level 12

Deduplication should resolve the duplicate result, but I would advise you do some testing so that you do not end up with multiple alerts for the same issue.

0 Kudos