cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Alert condition for down alert not firing alerts

Hi,

I have setup a generic alert when a node goes down, within here i have excluded certain items (WAN routers) as i have a separate alert setup for those. Looking at the Show list for the objects in the environment they do not appear so i believe the trigger condition for this alert is setup correctly and all the nodes not equal to the WAN routers do alert and the Junipers are not triggered by this alert.

pastedImage_0.png

My second alert purely just for the WAN routers is configured to find devices with the role of WAN and show in the detected child objects list as expected and the status is set to down.

pastedImage_1.png

pastedImage_2.png

For some reason the WAN router alert does not trigger and i'm not entirely sure why, i think it's probably one of the trigger conditions on either but i cant seem to get my head around it. I have searched the forum but haven't found anything quite the same as this. If any one has any ideas on what is wrong it would be appreciated.

Thanks

0 Kudos
4 Replies

oli_herd

Also, it might help if you break down your first alert a bit, separating the scope and actual alert definition(s). Maybe have all of the node name criteria in the scope, then put the status indicator in the actual alert trigger.

0 Kudos
Level 15

Easiest way to ID potential scope issues is to Download and Install the SDK, and then use SWQL Studio to verify your alert scope

Click the little drop down arrow on the right, then select "Show SWQL"

pastedImage_0.png

Remove the "WHERE Status = xxxx" and then run the resulting query in the SWQL Studio app and verify you're seeing the nodes you expect to see.

The original query will most likely look similar to this:

SELECT E0.[Uri], E0.[DisplayName]
FROM Orion.Nodes AS E0
WHERE ( ( E0.[Status] = '2' ) AND ( E0.[Caption] != 'ThatOtherRouter' ) AND ( E0.[CustomProperties].[DeviceRole] = 'WAN' ) )

I would update it to look more like this to add some more data in the results that make it more user-readable:

SELECT E0.[NodeID], E0.[DisplayName], E0.[IPAddress], E0.[CustomProperties].[DeviceRole] 
FROM Orion.Nodes AS E0
WHERE ( E0.[Caption] != 'ThatOtherRouter' )
AND ( E0.[CustomProperties].[DeviceRole] = 'WAN' )

If you need help, feel free to post the results of your "Show SWQL" here.

0 Kudos

I've downloaded SWQL studio the first time I've used it so please bare with me as i dont really know it that well. So my query looks like this which if i run in the studio doesn't display anything

pastedImage_0.png

If i remove the WHERE Status line like you suggested and input the last line you typed i get the same result as above. The second set you typed when run in SWQL does give me the results that i expect to see which is good that's what i want. So from that my original query isnt configured hence why it doesn't display any results.

pastedImage_1.png

Again apologies for my next stupid question.... how do i get the correct code you entered into the alert?

0 Kudos

That actually looks accurate. Try this, it will add the current status to your query:

SELECT
E0.[NodeID]
,E0.[Caption]
,E0.[IPAddress]
,E0.[CustomProperties].[DeviceRole]
,E0.[StatusDescription]
FROM Orion.Nodes AS E0
WHERE ( E0.[CustomProperties].[DeviceRole] = 'WAN' )

The conditional logic looks correct. I think you may need to dig a little deeper to ensure that there's actually an event that captured a down event.

SELECT
n.Caption
,n.IPAddress
,n.CustomProperties.DeviceRole
,TOLOCAL(n.Events.EventTime) AS [EventTime]
,n.Events.Message
,n.Events.EventTypeProperties.Name
FROM Orion.Nodes n
WHERE n.CustomProperties.DeviceRole = 'WAN'
AND n.Events.EventType = 1
ORDER BY [EventTime] DESC

This will show you every down event captured on any of your WAN devices for the length of your Events retention (default is 30 days).

If you find events in there, the next thing to look at would be whether or not you have a Trigger delay added, or if you've changed the evaluation interval of the alert.

0 Kudos