4 Replies Latest reply on Apr 27, 2018 8:07 PM by zackm

    Alert condition for down alert not firing alerts

    oli_herd

      Hi,

       

      I have setup a generic alert when a node goes down, within here i have excluded certain items (WAN routers) as i have a separate alert setup for those. Looking at the Show list for the objects in the environment they do not appear so i believe the trigger condition for this alert is setup correctly and all the nodes not equal to the WAN routers do alert and the Junipers are not triggered by this alert.

       

       

      My second alert purely just for the WAN routers is configured to find devices with the role of WAN and show in the detected child objects list as expected and the status is set to down.

       

      For some reason the WAN router alert does not trigger and i'm not entirely sure why, i think it's probably one of the trigger conditions on either but i cant seem to get my head around it. I have searched the forum but haven't found anything quite the same as this. If any one has any ideas on what is wrong it would be appreciated.

       

      Thanks

        • Re: Alert condition for down alert not firing alerts
          zackm

          Easiest way to ID potential scope issues is to Download and Install the SDK, and then use SWQL Studio to verify your alert scope

          Click the little drop down arrow on the right, then select "Show SWQL"

           

           

          Remove the "WHERE Status = xxxx" and then run the resulting query in the SWQL Studio app and verify you're seeing the nodes you expect to see.

           

          The original query will most likely look similar to this:

           

          SELECT E0.[Uri], E0.[DisplayName]
          FROM Orion.Nodes AS E0 
          WHERE ( ( E0.[Status] = '2' ) AND ( E0.[Caption] != 'ThatOtherRouter' ) AND ( E0.[CustomProperties].[DeviceRole] = 'WAN' ) )

           

          I would update it to look more like this to add some more data in the results that make it more user-readable:

           

          SELECT E0.[NodeID], E0.[DisplayName], E0.[IPAddress], E0.[CustomProperties].[DeviceRole] 
          FROM Orion.Nodes AS E0 
          WHERE ( E0.[Caption] != 'ThatOtherRouter' ) 
          AND ( E0.[CustomProperties].[DeviceRole] = 'WAN' )

           

          If you need help, feel free to post the results of your "Show SWQL" here.

            • Re: Alert condition for down alert not firing alerts
              oli_herd

              I've downloaded SWQL studio the first time I've used it so please bare with me as i dont really know it that well. So my query looks like this which if i run in the studio doesn't display anything

               

              If i remove the WHERE Status line like you suggested and input the last line you typed i get the same result as above. The second set you typed when run in SWQL does give me the results that i expect to see which is good that's what i want. So from that my original query isnt configured hence why it doesn't display any results.

              Again apologies for my next stupid question.... how do i get the correct code you entered into the alert?

                • Re: Alert condition for down alert not firing alerts
                  zackm

                  That actually looks accurate. Try this, it will add the current status to your query:

                   

                  SELECT
                  E0.[NodeID]
                  ,E0.[Caption]
                  ,E0.[IPAddress]
                  ,E0.[CustomProperties].[DeviceRole]
                  ,E0.[StatusDescription]
                  FROM Orion.Nodes AS E0
                  WHERE ( E0.[CustomProperties].[DeviceRole] = 'WAN' )

                  The conditional logic looks correct. I think you may need to dig a little deeper to ensure that there's actually an event that captured a down event.

                   

                  SELECT
                  n.Caption
                  ,n.IPAddress
                  ,n.CustomProperties.DeviceRole
                  ,TOLOCAL(n.Events.EventTime) AS [EventTime]
                  ,n.Events.Message
                  ,n.Events.EventTypeProperties.Name
                  FROM Orion.Nodes n
                  WHERE n.CustomProperties.DeviceRole = 'WAN'
                  AND n.Events.EventType = 1
                  ORDER BY [EventTime] DESC

                   

                  This will show you every down event captured on any of your WAN devices for the length of your Events retention (default is 30 days).

                   

                  If you find events in there, the next thing to look at would be whether or not you have a Trigger delay added, or if you've changed the evaluation interval of the alert.

              • Re: Alert condition for down alert not firing alerts
                wluther

                oli_herd

                Also, it might help if you break down your first alert a bit, separating the scope and actual alert definition(s). Maybe have all of the node name criteria in the scope, then put the status indicator in the actual alert trigger.