NPM 2020.2 in use and i am trying to code Advanced SQL trap alerts. But the trap database table contains no data. I can see the traps coming in via log viewer. The Trap database statistics show no rows of data also.
Sorry i am a newbie on a steep learning curve 🙂
Thanks in advance
Sorry - I just re-read this post with a little more sleep under my belt. What your asking for might not be achievable.
If I've re-read this correctly, what your asking for is a 1min trigger delay whereby the Alert will only trigger IF The condition exists for > 1 minute?
Traps/Syslog are basically event messages so it isn't possible for the EXIST condition to apply here as the condition exists in the database for as long as you store it, like all events. As there are no natural reset conditions for a Trap/Syslog I'm not sure why you would want a delay. The only thing you could do is potentially look at using the Custom SWQL (Thx @sum_giais ) to only trigger after multiple triggers of the same event on the same node ?
On 2020.2 the old log viewer still opens but as you say, shows no data.
Solarwinds deprecated this with the latest version so it can only be done from log viewer - which by their own admission, is far from complete and far from providing the functionality of the trap viewer.
My cynical take on this is they've removed a working aspect and are now pushing their all new "log analyzer" <sic> Yes, there's a free version, but for full live functionality you need to start paying. And licensing is, from my view, horrendously expensive. Just my 2p mind.
I have been successful in creating alerts from the log viewer as as per your link. What I am also trying to achieve is alert trigger delay filter
Active alarm trap is received and processed (As Below)
What i am unable to do is create a 1min delay using this method. I only want alerts for alarms that is active for > 1 min.
The alarm delay conditions disappears when Log analyzer alert message event is selected as a trigger. Online reading points me towards using custom SQL to achieve this.
I have traps coming in and working.
But the trap database file is empty for SQL
Thanks in advance
The way the Analyzer alert integration works is your basically creating an event-driven alert. So LA triggers an event and your alert is looking for that event, there isn't an option to add a delay in this scenario. The only workaround for this would be to write a Custom SWQL/SQL Alert to reference you conditions directly from the Log Analyzer database.
I'd build it out in SWQL. Not sure exactly how I'd build an alert with this yet (as I've not done it myself) but this would be some SWQL to get you going looking at the syslogs from SolarWinds Orion Log Viewer (LV) or Log Analyzer (LA). I've always used the built-in functionality. Might require some crafty SWQL work to achieve what you're looking for.. as other folks have mentioned syslogs are really event driven in SolarWinds.
SELECT TOP 1000 n.Caption, n.MachineType, ms.IPAddress AS SourceIP, le.LogEntryID, le.LogEntryTypeID, le.LogEntryLevelID, le.NodeID, le.MessageSourceID, le.DateTime, le.MessageDateTime, le.Message FROM Orion.OLM.LogEntry AS le LEFT JOIN Orion.Nodes AS n ON le.NodeID = n.NodeID LEFT JOIN Orion.OLM.MessageSources AS ms ON le.MessageSourceID = ms.MessageSourceID
This is just a start... there's much more possibility with this. Above is just a couple quick left joins to pull in the caption and machine type of the node, and the source IP of the received log.
Much of this could be easily translatable (as usual) from SWQL to SQL. Just keep in mind that in SQL, LV / LA have their own database as it's memory-optimized. In SQL you could look in OrionLog_LogEntry table in then SolarWindsOrionLog' database (default name unless changed I believe...)
I hope this helps.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.