cancel
Showing results for 
Search instead for 
Did you mean: 
m-milligan
Level 13

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

How about this query? This will also get you the currently muted nodes, etc.

Edited 2018-05-03 to account for variation in Orion.AuditingActionTypes.ActionTypeID across installations.

Select N.Caption, Supp.SuppressFrom, Supp.SuppressUntil, LastMuteEvent.TimeLoggedUtc, AE.AccountID  

from Orion.Nodes N  

INNER JOIN Orion.AlertSuppression Supp on Supp.EntityUri = N.Uri  

LEFT OUTER JOIN (  

SELECT NetObjectID, Max(AuditEventID) as [AuditEventID], Max(TimeLoggedUtc) as [TimeLoggedUtc]  

FROM Orion.AuditingEvents  

where ActionTypeID in ( 

SELECT ActionTypeID 

FROM Orion.AuditingActionTypes 

where ActionType = 'Orion.AlertSuppressionAdded' 

or ActionType = 'Orion.AlertSuppressionChanged' 

)  

group by NetObjectID  

) AS [LastMuteEvent] on LastMuteEvent.NetObjectID = N.NodeID  

LEFT OUTER JOIN Orion.AuditingEvents AE on AE.AuditEventID = LastMuteEvent.AuditEventID  

ORDER BY N.Caption 

0 Kudos
Highlighted
patriot
Level 12

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

I'm getting data in the query resource now, but any idea why the last three columns are empty?

2018-05-01_15-57-40.jpg

0 Kudos
m-milligan
Level 13

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

"SuppressUntil" is empty because no end time was specified when the node was muted. The node will stay muted until it's explicitly un-muted. That's the default behavior if a user just clicks Maintenance Mode - Mute Alerts Now, like this:

pastedImage_0.png

The other columns could be empty if the alert had been muted a long time ago and the events had since been purged from Orion.AuditEvents. However, I see the SuppressFrom dates are from today, so I'm assuming you just did these, correct?

Run this query in SWQL Studio and see if the mute events are being logged in there. That's where my query gets that data; if the events are not being logged, the TimeLoggedUtc and AccountID columns will be empty. Do you see a row with a recent timestamp for each node you muted?

SELECT NetObjectID, Max(AuditEventID) as [AuditEventID], Max(TimeLoggedUtc) as [TimeLoggedUtc]  

FROM Orion.AuditingEvents  

where ActionTypeID in (102,103)  

group by NetObjectID  

0 Kudos
patriot
Level 12

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

If you mean to run the query in Database Manager, I did that after removing the "Orion." in front of AuditingEvents in line 2. However, there were no returned results. Not sure what that means though.

And yes, I muted some alerts and unmanaged some nodes just today for testing. I would have expected to see my user account and the timestamp for when I executed the action.

Strange.

0 Kudos
m-milligan
Level 13

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

No, I mean run the query in the SWQL Studio application. That's the SWQL equivalent to Database Manager. It should have been installed when you installed Solarwinds.

In this case, running that query in Database Manager (after removing "Orion.") should produce the same result as running it in SWQL Studio. Does the AuditingEvents table contain any rows at all? What do you get with these two queries in Database Manager?

select count('x') from AuditingEvents

select count('x') from AuditingEvents where ActionTypeID in (102,103)

What version of Solarwinds are you running?

0 Kudos
patriot
Level 12

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

Where is the SWQL Studio? On the Start menu on the Primary polling server?

0 Kudos
patriot
Level 12

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

The first query gives a result of 980. The second one a result of 0. Hmmm.

0 Kudos
m-milligan
Level 13

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

It should be on the Start menu on your main Orion poller, in the Solarwinds Orion SDK group.

0 Kudos
m-milligan
Level 13

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

OK, that suggests that Solarwinds is not logging auditing events for Alert Suppression (muting). That's why those three columns are empty in the query results - there is no matching data in the table that logs the auditing events.

When you run the query below, what do you get? I wonder if your installation has a Action Type ID for these events.

SELECT ActionTypeID, ActionType, ActionTypeDisplayName
FROM Orion.AuditingActionTypes
where ActionType like '%Suppression%'
0 Kudos
patriot
Level 12

Re: Report showing user who unmanaged elements and muted alerts

Jump to solution

I get the following:

query.jpg

0 Kudos