• State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 15 subscribers
  • Views 1265 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SQL Help, Alert History filtered by custom property

xaviermace

I could use some assistance on this.  I'm pretty rusty on doing anything SQL, and have never really done joins, and I don't have much experience manually digging around the SolarWinds database.  I'm looking to create a report that shows the last 30 (or maybe 90?) days of alerts with for a specific client.  We have a custom property for the client name.  I was able to get a query to pull most of what I need from the Alert History View, but I want the report to show the time the alert triggered, when it was acknowledged, and ideally when it reset.  That's where I'm getting stuck.  That info isn't in the AlertHistoryView so I'm assuming I need to another table.  The AlertActive table seems to have the data I need and the AlertActiveID appears to link the two but I'm apparently missing something.

SELECT ah.EventTypeWord, ah.Message, ah.TimeStamp, ah.RelatedNodeCaption FROM AlertHistoryView ah

INNER JOIN NodesCustomProperties ncp

ON ah.RelatedNodeID =ncp.NodeID

WHERE ncp.CustomerName = 'Client Name' AND ah.EventTypeWord = 'Triggered' AND ah.TimeStamp >= DATEADD(month,-1,GETDATE())

ORDER BY ah.TimeStamp

But when I add a second join, I get no results.

INNER JOIN AlertActive aa

ON ah.AlertActiveID=aa.AlertActiveID

If I manually search for a specific AlertActiveID number in both tables, I get the data I would expect, so what am I not understanding about doing multiple joins?  Or am I completely approaching this the wrong way entirely?

  • 0

    Use this in a custom query resource in the web console, sounds like it has everything you are looking for

    --report on alerts triggered 


    select ac.Name
    ,ah.Message
    ,'/Orion/NetPerfMon/ActiveAlertDetails.aspx?NetObject=AAT:'+ToString(AlertObjectID) as [_linkfor_Name]
    ,EntityCaption as [Trigger Object]
    ,EntityDetailsUrl as [_linkfor_Trigger Object]
    ,case 
    WHEN RelatedNodeCaption=EntityCaption THEN 'Self'
    When RelatedNodeCaption!=EntityCaption THEN RelatedNodeCaption
    End as [Parent Node]
    ,RelatedNodeDetailsUrl as [_linkfor_Parent Node]
    ,'/Orion/images/StatusIcons/Small-' + p.StatusIcon AS [_IconFor_Parent Node]
    ,tostring(tolocal(ah.TimeStamp)) as [Trigger Time]
    ,case when ack.timestamp is null then 'N/A'
    else tostring(minutediff(ah.TimeStamp,ack.timestamp))
    end as [Minutes Until Acknowledged]
    ,ack.Message as [Note]
    ,case when reset.timestamp is null then 'N/A'
    else tostring(minutediff(ah.TimeStamp,reset.timestamp))
    end as [Minutes Until Reset]


    FROM Orion.AlertHistory ah
    left join Orion.AlertObjects ao on ao.alertobjectid=ah.alertobjectid
    left join Orion.AlertConfigurations ac on ac.alertid=ao.alertid
    left join Orion.Actions a on a.actionid=ah.actionid
    left join Orion.Nodes p on p.nodeid=RelatedNodeID
    left join (select timestamp, AlertActiveID, AlertObjectID,message from orion.alerthistory ah where eventtype=2) ack on ack.alertactiveid=ah.AlertActiveID and ack.alertobjectid=ah.AlertObjectID
    left join (select timestamp, AlertActiveID, AlertObjectID from orion.alerthistory ah where eventtype=1) reset on reset.alertactiveid=ah.AlertActiveID and reset.alertobjectid=ah.AlertObjectID


    WHERE 
    daydiff(ah.timestamp,GETUTCDATE())<30
    and ah.eventtype=0
    --and (ac.Name like '%${SEARCH_STRING}%' or EntityCaption like '%${SEARCH_STRING}%' or RelatedNodeCaption like '%${SEARCH_STRING}%')
    --and p.customproperties.customername like 'whatever'

    order by ah.timestamp desc

    pastedImage_1.png

  • 0 in reply to mesverrum

    That looks to be perfect.  Very much appreciated!

  • 0 in reply to mesverrum

    I found this very helpful. BUT I  am stumped trying to add data to the report with fields from our Custom Properties.

    I see this part:

    p.customproperties.customername

    and I understand that if my Custom Property field name is "client" I would use

    p.customproperties.client

    Or if the field was named "ad_domain" I would use

    p.customproperties.ad_domain

    I just don't see where I would add that SWQL to the report to include "ad_domain" as an item in this report.

    My goal

    Include ad domain then Group results by p.customproperties.ad_domain then ORDER by p.customproperties.client, then by ah.timestamp desc

    Any assistance is appreciated!

  • 0 in reply to bwaz

    Just add your p.customproperties.ad_domain to the select section, and then to the order by before the timestamp

  • 0

    Hi,

    Thank you for posting the query this is helpful.  I just want to add one more thing but can't find the ac.? or where to look and where to add this to the query. "Object that triggered this alert" 

    activealert2019.png

    any help is appreciate it.

    Thanks in Advance,

    Cheers,
    Lester C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.