cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Traps setup issue

Hi,

NPM 2020.2 in use and i am trying to code Advanced SQL trap alerts. But the trap database table contains no data. I can see the traps coming in via log viewer. The Trap database statistics show no rows of data also. 

Any Ideas?

Sorry i am a newbie on a steep learning curve 🙂

Thanks in advance

0 Kudos
8 Replies
Level 12

Apologies, it appears I may have mis-understood your request.

But I am following along with interest as I'd love to see what you develop if you are successful.

0 Kudos

 

Sorry - I just re-read this post with a little more sleep under my belt. What your asking for might not be achievable.

If I've re-read this correctly, what your asking for is a 1min trigger delay whereby the Alert will only trigger IF The condition exists for > 1 minute?

Traps/Syslog are basically event messages so it isn't possible for the EXIST condition to apply here as the condition exists in the database for as long as you store it, like all events. As there are no natural reset conditions for a Trap/Syslog I'm not sure why you would want a delay. The only thing you could do is potentially look at using the Custom SWQL (Thx @sum_giais ) to only trigger after multiple triggers of the same event on the same node ?

- David Smith
0 Kudos
Level 12

On 2020.2 the old log viewer still opens but as you say, shows no data.

Solarwinds deprecated this with the latest version so it can only be done from log viewer - which by their own admission, is far from complete and far from providing the functionality of the trap viewer.

My cynical take on this is they've removed a working aspect and are now pushing their all new "log analyzer" <sic> Yes, there's a free version, but for full live functionality you need to start paying. And licensing is, from my view, horrendously expensive. Just my 2p mind.

0 Kudos
Level 16

0 Kudos

Hi @neomatrix1217 @stuartd 

I have been successful in creating alerts from the log viewer as as per your link. What I am also trying to achieve is alert trigger delay filter

Active alarm trap is received and processed (As Below)

Travisty_1-1593208587621.png

Trigger Condition 

Travisty_2-1593208774633.png

 

What i am unable to do is create a 1min delay using this method. I only want alerts for  alarms that is active for  > 1 min.

The alarm delay conditions disappears when Log analyzer alert message event is selected as a trigger. Online reading points me towards using custom SQL to achieve this.

I have traps coming in and working.

Travisty_3-1593209221624.png

 

But the trap database file is empty for SQL 

Travisty_5-1593209335589.png

Travisty_4-1593209318780.png

Thanks in advance

Travis 

 

 

 

 

 

0 Kudos

The way the Analyzer alert integration works is your basically creating an event-driven alert. So LA triggers an event and your alert is looking for that event, there isn't an option to add a delay in this scenario. The only workaround for this would be to write a Custom SWQL/SQL Alert to reference you conditions directly from the Log Analyzer database.

- David Smith
0 Kudos

Hi @dgsmith80 ,

 

Would to be so kind and point me to the correct SQL database table as the traps one is empty

 

Thanks

 

Travis 

0 Kudos

I'd build it out in SWQL. Not sure exactly how I'd build an alert with this yet (as I've not done it myself) but this would be some SWQL to get you going looking at the syslogs from SolarWinds Orion Log Viewer (LV) or Log Analyzer (LA). I've always used the built-in functionality. Might require some crafty SWQL work to achieve what you're looking for.. as other folks have mentioned syslogs are really event driven in SolarWinds.

 

SELECT TOP 1000 n.Caption, n.MachineType, ms.IPAddress AS SourceIP, le.LogEntryID, le.LogEntryTypeID, le.LogEntryLevelID, le.NodeID, le.MessageSourceID, le.DateTime, le.MessageDateTime, le.Message
FROM Orion.OLM.LogEntry AS le
LEFT JOIN Orion.Nodes AS n
ON le.NodeID = n.NodeID
LEFT JOIN Orion.OLM.MessageSources AS ms
ON le.MessageSourceID = ms.MessageSourceID

 

 
This is just a start... there's much more possibility with this. Above is just a couple quick left joins to pull in the caption and machine type of the node, and the source IP of the received log.

Much of this could be easily translatable (as usual) from SWQL to SQL. Just keep in mind that in SQL, LV / LA have their own database as it's memory-optimized. In SQL you could look in OrionLog_LogEntry table in then SolarWindsOrionLog' database (default name unless changed I believe...)

I hope this helps.