How can I tell WHY an Interface is in warning?

Are you able to check the Events table in the database for any associated messages for that interface?

I have pretty much the same problem. I get TONS of alerts saying interfaces are in warning status, but there is no data whatsoever, in the device or in Solarwinds, to explain why Solarwinds thinks the interfaces should be flagged as warning. I have opened 2 separate support cases 1341821 and 1369990 for this issue with no progress.

The first tech I talked to tried to convince me that it was the Cisco device reporting the warning status. It took me some research, but I finally was able to prove that at least for the Cisco devices in question, there is no SNMP interface warning status. This means that Solarwinds is the one flagging the warning status.

On the second support case, the tech had me create a test alert and we put in a bunch of macros hoping that one of the data points would give some indication of why Solarwinds is saying the interface is warning. Well, I just deleted over 26,000 email alerts and every single one that I looked at showed everything looks good, except that it shows the interface status as warning.

I am now searching Thwack hoping the community might have some answers. I'll post back here if I find anything helpful. We are also on NPM 12.1 The problem seemed to start recently, maybe within the past 3 or 4 months, but we have been on 12.1 for quite some time.

This might not be correct but it is my best guess for an answer. If you go the interfaces page and go to "Edit Interface" then scroll down to the bottom you should see.

Have you checked if any of those are true while the interface is in warning status?

I know you may be directing this to either myself, the OP, or both. I have definitely checked those thresholds. In fact, that was the first place I pointed Solarwinds tech support to look at. At no time have any of those thresholds been breached. The Solarwinds data bears this out in every single instance.

Yeah I am directing this to anyone who is worried about it lol. I'm looking into it more now and not finding concrete information on how that works exactly beyond what I have posted so far. Have you looked at what is being saved in the database for that interface around that time? Is it possible that there is a syslog/trap Alerts / Filters that could be changing the status?

Yes I actually even did raw SQL queries int the DB Manager trying to find any piece of data of why Solarwinds would say the interfaces are warning status. No luck there either.

It wouldn't/couldn't be a Syslog or Trap. Correct? Those are not truly integrated into the SNMP polled side of things the way people seem to think. In other words, what I am saying is that there is no mechanism built into Solarwinds that would receive a certain trap or syslog and based on that message put an interface into warning or other status. Solarwinds is not nearly as integrated as people seem to think it is.

As for alert filters, the alert that is triggering simply says "Alert if interface is in warning or critical status". So there is no threshold in the alert itself that is causing this.

The syslog and trap messages don't change interfaces by default. You wouldn't see them in the active alerts either if there is nothing in their Alert Actions to do so. It could be changing the status of an interface without really telling you where or why unless you know it is doing that.  Here is a screenshot of an example where if I get a certain kind of message the interface status is changed to Down.

Ah yes. You have explicitly set up a specific action. We don't have any of that going on here.

In that case I would consider using netpath from your polling engine(s) to the node with the most interfaces having this issue. Just to see if you can see anything there that may help. I'm not sure if you have looked into the logs on solarwinds either

C:\ProgramData\Solarwinds\Logs\Orion

One that might have something in there for you would be Interfaces.Collector.Jobs but I haven't been able to piece together exactly how all the logs work yet. Definitely curious to see what could be causing this.That way if I ever get asked this question about my interfaces I will know where all to look and why. Please keep us posted and good luck.

I'll take a look at the logs. I appreciate all the suggestions. If I anything interesting, I'll let you know.