SWQL query to list Netflow received on unmonitored nodes
With the help of smttysmth02gt I was able to put together a SWQL query you can put into a "Custom query" widget or report in order to see all IP's that were sending netflow that you aren't polling from in Orion. This trims out everything from the event which otherwise would say:
NetFlow Receiver Service [ORIONSERVER] is receiving a NetFlow data stream from an unmanaged device (10.58.35.1). The NetFlow data stream from (IP) will be discarded. Please use Orion Node management to manage this IP address in order to process this NetFlow data stream, or just use <a href="https://thwack.solarwinds.com/Orion/TrafficAnalysis/Utils/AddNode.aspx?IPAddress=(IP)"><u><b>Manage this device</u></b></a>.
SELECT EventTime , EventType , SUBSTRING(Message, CHARINDEX('IPAddress=', Message) + LENGTH('IPAddress='), CHARINDEX('"', Message, CHARINDEX('IPAddress=', Message)) - (CHARINDEX('IPAddress=', Message) + LENGTH('IPAddress='))) AS IPAddress -- this will grab between ( and ) to get the IP from the Netflow Event FROM Orion.Events WHERE EventType = 302 --unmanaged Netflow Node Event ORDER BY EventTime DESC
The result of this looks like so, when run from SWQL studio or elsewhere. If you have lots of netflow events, this can be helpful in case it slides well past your netflow events history.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.
Learn more today by joining now.