3 Replies Latest reply on Feb 23, 2018 9:25 AM by mesverrum

    SAM - Hide Information Alerts in All Active Alerts View (or NOC View)


      Hey guys,


      I've hit a bit of a wall and I'm coming up on a deadline for getting SAM setup to replace our current monitoring solution (Icinga).  While I've been able to setup all of the basic monitors and alerts we had in the last environment, I'm having some struggles getting the email alerting to do what I expect (see this post over here for the solution I'd prefer for this problem).


      One of the suggestions that has been raised was to remove Reset Triggers from all alerts and setup "OK Alerts" with trigger conditions which would fire when the system entered back into an OK state.  This seems like a really good work around for the email/trigger issue, however it doesn't seem to work for our NOC, as it's going to flood the "All Active Alerts" and "All Active Alerts - NOC View Mode" displays they watch for issues with thousands of "OK" alerts on the "All" category.  Ideally, we'd like these alerts to be hidden from this view or create another view which looks exactly like one or both of those views, but with the "OK" alerts removed (we were thinking of setting these as Severity: Notice for an easy way to filter them out.


      Any thoughts or suggestions?


      Thank you,


        • Re: SAM - Hide Information Alerts in All Active Alerts View (or NOC View)

          So the out of the box alert views aren't very filterable as you have probably noticed, so to get that kind of effect you usually end up building something using the custom table resource.  If you get really fancy I could see cooking up a SQL/SWQL resource that only shows the highest severity of the alert and disappears it if the OK variant has shown up for that same object.

          2 of 2 people found this helpful
            • Re: SAM - Hide Information Alerts in All Active Alerts View (or NOC View)

              Thanks for the reply!  I looked a bit at creating a new page/view/table, but I couldn't find a way to make it the same type of view (with the check boxes and acknowledge button).  My total hands-on time with SAM is still less than 10 hours, so I know effectively nothing about the product.  Is there something fairly straight forward that I'm just completely missing?


              Thank you,


                • Re: SAM - Hide Information Alerts in All Active Alerts View (or NOC View)

                  This is the basic SWQL query I use for most of my alert dashboards





                  It doesnn't have check boxes or the ack button since those are done in javascript and I still haven't gotten around to being able to recreate that, but if you click the column with the alert in it that takes you to the alert info page, which does have the ack button.  I was going to attempt to write a version with the logic I described above but my VCP exam is in 2 weeks and I am on the grind studying for that so I can't let myself get too distracted until after I finish it. Feel free to try and modify this for your purposes if you are any good at SQL.





                  o.AlertConfigurations.Name AS [ALERT NAME]

                  ,'/Orion/NetPerfMon/ActiveAlertDetails.aspx?NetObject=AAT:' + ToString(o.AlertObjectID) AS [_LinkFor_ALERT NAME]


                  WHEN o.AlertConfigurations.Severity = 2 THEN '/Orion/images/ActiveAlerts/Critical.png'

                  WHEN o.AlertConfigurations.Severity = 3 THEN '/Orion/images/ActiveAlerts/Serious.png'

                  WHEN o.AlertConfigurations.Severity = 1 THEN '/Orion/images/ActiveAlerts/Warning.png'

                  WHEN o.AlertConfigurations.Severity = 0 THEN '/Orion/images/ActiveAlerts/InformationalAlert.png'

                  WHEN o.AlertConfigurations.Severity = 4 THEN '/Orion/images/ActiveAlerts/Notice.png'

                  END AS [_iconfor_ALERT NAME]

                  ,o.EntityCaption AS [ALERT OBJECT]

                  ,o.EntityDetailsURL AS [_LinkFor_ALERT OBJECT]


                  WHEN o.RelatedNodeCaption=EntityCaption THEN 'Self'

                  When o.RelatedNodeCaption!=EntityCaption THEN RelatedNodeCaption

                  End as [RELATED NODE]

                  ,o.RelatedNodeDetailsURL AS [_LinkFor_RELATED NODE]

                  ,ToLocal(o.AlertActive.TriggeredDateTime) AS [ALERT TRIGGER TIME]

                  -- ,o.AlertActive.TriggeredMessage AS [ALERT MESSAGE]

                  --,'/Orion/images/StatusIcons/Small-' + n.StatusIcon AS [_IconFor_ALERT OBJECT]

                  ,'/Orion/images/StatusIcons/Small-' + p.StatusIcon AS [_IconFor_RELATED NODE]


                  when minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())>1440 then (tostring(round(minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())/1440.0,1)) + ' Days')

                  when minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())>60 then (tostring(round(minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())/60.0,1)) + ' Hours')

                  else (tostring(minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())) + ' Minutes')

                  end as [Time Active]


                  ,ah.Message as [Note]



                  From Orion.AlertActive aa

                  join Orion.AlertObjects o on aa.alertobjectid=o.alertobjectid

                  LEFT join Orion.Nodes p on p.nodeid=relatednodeid

                  left join orion.alerthistory ah on ah.AlertActiveID=aa.AlertActiveID and ah.EventType in (2,3)


                  --where (o.AlertConfigurations.Name like '%${SEARCH_STRING}%' or o.RelatedNodeCaption like '%${SEARCH_STRING}%' or o.EntityCaption like '%${SEARCH_STRING}%' or ah.Message like '%${SEARCH_STRING}%')


                  ORDER by o.AlertActive.TriggeredDateTime DESC

                  1 of 1 people found this helpful