cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

adv alert suppression

i'm trying hard to get 'suppression' to work with Adv Alerts, but i feel like i'm beating my head against a brick wall here.


here's my scenario, and it's very simplified here to help get my point across...hopefully i can do that!


 


i'm using the Advance Alert Trigger Condition on the Property:Interface - with the condition of Avg Rec and Xmit Percent Util


i do successfully get all my trigger & reset alerts for all of device interfaces - so, we know this part works. here is a list of devices with those alerts.


(device names and interfaces)
ServerEMAIL MS Loopback Interface
ServerDNS MS Loopback Interface
Router1 Serial 1.0
Router2 Multilink
Router3 HSSI/3.3


however, i want to suppress just those interfaces on ServerEMAIL & ServerDNS, but i can't make it work whenever i use any properties for INTERFACE or NODE.



that is, i only want to suppress the node names of:
ServerEMAIL
ServerDNS


i've tried suppressing by $objectname - $systemname - $captionname - $fullname - $ipaddress and i have tried various Interface Details objects, but nothing works. can this even be done or what am i missing here?


 


thanks.


Gil

0 Kudos
8 Replies
Level 7

I found that alert suppression based on more than 1 device does not work in advanced alerts and why - what this is doing on the backend is creating a count sql query (select count ....)  If you put in critieria such as node name = server1 and then node name = server2, regardless of how you format this with condition groups, the sql created is something like:

 where nodename = 'server1' and nodename = 'server2'

the result of which will be a count of 0 records, because obviously no node can have 2 different names.  You can find the sql query your suppression criteria generates in the AlertSuppression table in your database, so you can see what count its returning.  I even tried creating the correct sql query and putting it in the database to return 2 devices, but it appears that any value other than 1 will not trigger the suppression.

Hope this helps you troubleshoot the problem.

 

 




 

0 Kudos
Level 17

How do you have the Suppression tab setup? Anything like this?-

0 Kudos

i did not or have not included the NODE STATUS check. i guess i missed that being a condition somewhere along the way.


i'll include this check and conduct a few tests and get back later. thanks.


0 Kudos

if i include the NODE STATUS it works - but for only one node name at a time.


i see you have two seperate screenshots with two different node names for Alerts. Can this suppression be done for multiple Node Names with only one condition for Node Status within the same Alert? i'm trying the logic, but it doesn't appear to catch both node names.


i've tried


 Suppress Alert when all of the following apply
 Node Status is not equal to Up
 Node Name is equal to ServerEMAIL


(this one always works but to try to get both nodes i then try these...)


 Suppress Alert when all of the following apply
 Node Status is not equal to Up
 Node Name is equal to ServerEMAIL
 Node Name is equal to ServerDNS


and then i've tried


Suppress Alert when all of the following apply
 Node Status is not equal to Up
Suppress Alert when any of the following apply
 Node Name is equal to ServerEMAIL
 Node Name is equal to ServerDNS


and i have tried replacing any with all... 


it seems to only pick up on that first node name, the other is always ignored. any ideas on that? thanks for your help.

0 Kudos

I'm only guessing here but I bet you just added a condition group then moved it up to be below "Node Status is not equal to Up" ?

This will not work, you can see by looking at the indentations that "Node Status", "Node Name" and "Node Name" are still under the condition group "All"

Suppress Alert when all of the following apply
 Node Status is not equal to Up
Suppress Alert when any of the following apply
 Node Name is equal to ServerEMAIL
 Node Name is equal to ServerDNS

You have to delete both node names, then highlight "any" group condition and then select add "condition" and then specify both node names, it should then be displayed as...

Suppress Alert when all of the following apply
 Node Status is not equal to Up
 Suppress Alert when any of the following apply
   Node Name is equal to ServerEMAIL
   Node Name is equal to ServerDNS

You may even have to delete the condition group "Any" as well and recreate it?

Here's what I have which alerts if the util on either TX or RX is above 80% but must contain the custom property WAN... pay attention to the indentation...

 

rgds

Dave

0 Kudos

it looks like i may have to go to custom property as well - this is just not working out. you'd think it would be easier than this with the way the Property lists are presented along with the Conditions to use.


i did try your suggestion of this:


Suppress Alert when all of the following apply
 Node Status is not equal to Up
 Suppress Alert when any of the following apply
   Node Name is equal to ServerEMAIL
   Node Name is equal to ServerDNS


but SWAlertEngine gave the message "Complex condition is empty, does not contain nested condtions."


i'm going to work on this a while longer.


does anyone know of any 'advanced alerts' examples out there using NESTED CONDITIONS????


 


0 Kudos

the error "Does not contain nested conditions" means that one of your condition groups does not contain any conditions. I would suggest removing all trigger conditions and groups and reinsert them one at a time ensuring that when you create a new condition you create it "from" the condition group. The conditions you have will work, you just need to make sure there created in the correct way. I agree it's a bit unforgiving but it does work.

0 Kudos

 Yes, creating separate alerts might be best here - stick with what works or You may want to add the condition to the TRIGGER criteria “AND NODE NAME NOT EQUAL TO ServerEMAIL, etc..

0 Kudos