Level 7

Building logic into alerts

I am looking to create some custom alerts in either SQL or SWQL with logic built into them.

My company is spread through multiple offices and our nodes are grouped by each office as well as each office having a distinct subnet. I am looking to find a way to use logic when a device has gone offline or rebooted. Here's kind of the logic I'm looking for.

If node has gone offline/rebooted

     and no other nodes have gone offline matching either the group or subnet

send notification stating which device has gone offline/rebooted

if node has gone offline/rebooted

     and other nodes have gone offline matching either the group or subnet

send one notification for all nodes instead of individuals

Is this something that is possible? I'm having a hard time figuring out how to use this sort of logic with SQL and then how to incorporate it into an alert.


Level 17

You might be able to achieve some of this easily using groups and alerting on Group Member status.

The other option via alerting would be to use suppression.

In regards to sending a single alert for all nodes, I can see being able to piece something together using suppression, though usually what I focus on are dependencies (which can also be achieved through the right nested group setup). Dependencies in Orion will mark affected Nodes as un-reachable giving you a visual as well as stopping all the alerts of those affected nodes. With the right group setup you can alert on all group members being certain status(down or unreachable). Normally I rely on the Node Down Alert coming from the parent device(gateway), and notate the device or alert in a way to know it is the main access point and affects more than just that node.


