Showing results for 
Search instead for 
Did you mean: 
Create Post

SWQL query to list Netflow received on unmonitored nodes

With the help of smttysmth02gt​ I was able to put together a SWQL query you can put into a "Custom query" widget or report in order to see all IP's that were sending netflow that you aren't polling from in Orion. This trims out everything from the event which otherwise would say:

NetFlow Receiver Service [ORIONSERVER] is receiving a NetFlow data stream from an unmanaged device ( The NetFlow data stream from (IP) will be discarded. Please use Orion Node management to manage this IP address in order to process this NetFlow data stream, or just use <a href=""><u><b>Manage this device</u></b></a>.

SELECT EventTime
, EventType
, SUBSTRING(Message, CHARINDEX('IPAddress=', Message) + LENGTH('IPAddress='), CHARINDEX('"', Message, CHARINDEX('IPAddress=', Message)) - (CHARINDEX('IPAddress=', Message) + LENGTH('IPAddress='))) AS IPAddress
-- this will grab between ( and ) to get the IP from the Netflow Event
FROM Orion.Events
WHERE EventType = 302 --unmanaged Netflow Node Event

The result of this looks like so, when run from SWQL studio or elsewhere. If you have lots of netflow events, this can be helpful in case it slides well past your netflow events history.


0 Replies