We are currently implementing SolarWinds. 3x distributed (by location) Main Processing Engines (MPE) and a single EOC to consolidate dashboards...
We are at a quite early stage at the moment, implementing the modules (VMAN, NPM & SAM) onboarding the CIs and reviewing the alerts to decide which are appropriate.
Having run the "All Active Alerts" report on each MPE, I have a good view on the alerts at the point the report was taken. I then ran the "All Active Alerts" report on the MPE, and found that it was massively different.
My understanding is that the EOC rolls up the MPE alerts and reports them together. But, I've found that the EOC All Active Alerts report is reporting instances of alerts that aren't switched on, on any of the MPEs. The report is also reporting instances of alerts that have cleared. I have diff'd the SWQL for the "All Active Alerts" report on the EOC against an MPE and it's identical.
There is no "Manage Alerts" option on the EOC (whilst I wasn't expecting one - I have checked my admin account and it has alert management) so as far as I know, the control is done at the MPE level.
Am I missing something here? The behaviour is not what I'm expecting to see. I was not expecting to see alerts that are NOT enabled in the EOC report. I was not expecting to see alerts that are NOT currently active (alerting) in the EOC report.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.