• State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 38 subscribers
  • Views 764 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SQL Alert Help

magicjuanhunglo

My SQL is not amazing.... trying to trigger an alert when the total bandwidth on specific interfaces reaches a specific amount over a period of time.... for example (Alert needs to trigger when any of those interfaces hit 25Mb in the current month).  I am able to get the values for each day, and the below code works for a "Daily Alert", but does not work at the monthly level because I need to be able to group them.... here is what i currently have:

SELECT Nodes.Caption, Nodes.NodeID FROM Nodes    ****BECAUSE OF HOW ORION IS WITH SQL ALERTS, THIS "Select/From" can't be changed*******

JOIN  InterfaceTrafficByDays itbd ON Nodes.NodeID = itbd.NodeID     ****Joined the table with the data*******

WHERE

(InterfaceID = '96662' OR InterfaceID = '85498' OR InterfaceID = '96664' OR InterfaceID = '88157' OR InterfaceID = '99464' OR InterfaceID = '99470' OR InterfaceID = '96943')     ****Picked the interfaces I needed*******

AND

(((itbd.In_TotalBytes + itbd.Out_TotalBytes)/1024)/1024 >= '25')     ****Took the IN/OUT Rows and did some math for 25Mb.*******

AND

(

(itbd.DateTime >= DATEADD(month, DATEDIFF(month,0,GETDATE()),0) )

AND

(itbd.DateTime < DATEADD(month, DATEDIFF(month,0,GETDATE()) +1,0) )       ****Defined that this has to happen between the beginning of the month and the end of the month*******

)

I think i need a second Select Query inside the JOIN to add a "GROUP BY", but not sure how to do that.   Any help would be greatly appreciated.

  • 0

    So this query is pretty likely to time out just do to the sheer amount of data it would have to crunch unless you environment is very small.  The interface in/out total bytes value is the total byes since the last time we polled.  So to get to your situation we are going to have to add them all up for each interface from the beginning of the month until now.

    I'm going to need some clarification here, is that 25 MB per month a limit for each interface individually, or is it 25 MB total across them all at once?

  • 0 in reply to mesverrum

    The InterfaceTrafficByDays holds the daily total for the interface... so yea, i would need the add up the days to determine if the interface went over 25Mb of usage.  There is one value per day in the table... so the query would only have to add up 31 values (days) at the most per Column in the table (2 columns, In_TotalBytes and Out_TotalBytess), per interface... total of about 7 interfaces. 

    Yes, 25Mb per month limit for EACH interface... .  If any one of those interfaces goes over the usage threshold, we need to trigger an alert.

    Like I said, my SQL is limited, and what I have above is patched together via some "googling".... so I'm open to any and all options

    Thanks

  • 0

    Interesting question - Could you expand on the problem? Not sure I understand the issue yet.

    UNION can add another query, not sure what "inside the join" means in context, also not entirely sure how Orion handles UNION here. It doesn't seem like that would be required though.

  • 0 in reply to magicjuanhunglo

    You were definitely over complicating this, but if you don't know SQL you wouldn't know what you need and what's irrelevant.

    First of all you don't want this to be a node alert, it should be an interface alert on the interface that breached the threshold.

    Like I mentioned initially, this query might time out in a big environment because the interface traffic history is often one of the biggest tables for many customers, but this is about as good as you'll get.

    The -- is a comment indicator, i included a lot more info than the query needs in case you want to reverse engineer how it works

    SELECT Interfaces.Uri, Interfaces.DisplayName FROM Orion.NPM.Interfaces AS Interfaces

    -----------------------------------------------------------------------------------------------------------------------------

    where interfaceid in

    (

    SELECT distinct i.interfaceid

    --, min(tolocal(i.DateTime)) as [Earliest Timestamp]

    --, sum(i.InTotalBytes) as [InBytesTotal]

    --, sum(i.OutTotalBytes) as [OutBytesTotal]

    from orion.npm.InterfaceTraffic i

    where tolocal(i.DateTime) >= DATETRUNC('month',GETDATE()) --datetrunc gets us the start of the current calendar month

    and i.interfaceid in (96662, 85498, 96664, 88157, 99464, 99470, 96943) --give me all the interface id's

    group by i.interfaceid

    having sum(i.InTotalBytes) > 25000000 --could be 26214400 if counting using binary

    or sum(i.OutTotalBytes) > 25000000 --could be 26214400 if counting using binary

    )

    It should look like this
    pastedImage_4.png

    -Marc Netterfield

        Loop1 Systems: SolarWinds Training and Professional Services

  • 0 in reply to mesverrum

    Awesome... this seems to have done the trick.   My SQL is "ehh" and my SWQL is worse... so this was just what I needed.

    Quick question... if i wanted to just run this query normally (say via a custom SWQL report), and show the values for In Total Bytes and Out Total Bytes, and the combined In+Out, so i could verify what values are getting returned, how would I do that... modify the select statement or something else... and what should I put? 

    Thanks again for all your help.

  • 0 in reply to magicjuanhunglo

    This should work as a custom swql query

    SELECT distinct i.interfaceid

    , min(tolocal(i.DateTime)) as [Earliest Timestamp]

    , sum(i.InTotalBytes) as [InBytesTotal]

    , sum(i.OutTotalBytes) as [OutBytesTotal]

    from orion.npm.InterfaceTraffic i

    where tolocal(i.DateTime) >= DATETRUNC('month',GETDATE()) --datetrunc gets us the start of the current calendar month

    and i.interfaceid in (96662, 85498, 96664, 88157, 99464, 99470, 96943) --give me all the interface id's

    group by i.interfaceid

    --having sum(i.InTotalBytes) > 25000000 --could be 26214400 if counting using binary

    --or sum(i.OutTotalBytes) > 25000000 --could be 26214400 if counting using binary

    Order by i.interfaceid

  • 0 in reply to mesverrum

    Awesome!! Thanks so much for your help.

    One more quick thing... for the report... what would i need to do if i wanted to join another table like ("Interfaces"... for example) so I could add additional data to the report.... Like adding Interfaces.FullName or some specific Interface Custom Properties?

  • 0 in reply to magicjuanhunglo

    add something like

    join orion.npm.interfaces int on int.interfaceid=i.interfaceid

    for all the columns you want to pull from orion.interfaces just put them in the select areas as int.columnname, for custom properties it would be int.customproperties.propertyname

    Have you installed SWQL studio on your orion server yet?  its nearly impossible to get anywhere doing this without it

    Home · solarwinds/OrionSDK Wiki · GitHub

    Releases · solarwinds/OrionSDK · GitHub

  • 0 in reply to mesverrum

    So, as the join seems to work fine, but when i add the column name to the select (in this case its int.FullName), the query fails... not sure what im doing wrong.  :

    SELECT distinct i.interfaceid, int.FullName

    , min(tolocal(i.DateTime)) as [Earliest Timestamp]

    , sum(i.InTotalBytes) as [InBytesTotal]

    , sum(i.OutTotalBytes) as [OutBytesTotal]

    from orion.npm.InterfaceTraffic i

    join orion.npm.interfaces int on int.interfaceid=i.interfaceid

    where tolocal(i.DateTime) >= DATETRUNC('month',GETDATE()) --datetrunc gets us the start of the current calendar month

    and i.interfaceid in (96662, 85498, 96664, 88157, 99464, 99470, 96943) --give me all the interface id's

    group by i.interfaceid

    --having sum(i.InTotalBytes) > 25000000 --could be 26214400 if counting using binary

    --or sum(i.OutTotalBytes) > 25000000 --could be 26214400 if counting using binary

    Order by i.interfaceid

  • 0 in reply to magicjuanhunglo

    Ah yeah, because we are doing the sum/min aggregations you have to also add those additional columns to the group by section.

    group by i.interfaceid, int.FullName

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.