2 Replies Latest reply on Aug 5, 2019 3:22 PM by mesverrum

    NTA - High Bandwidth Alert Report Grouping % Use by Subnet - Is this possible?

    thesocialassassin

      Hello all,

      We are testing NPM/NTA right now for one purpose: high bandwidth alerting out of two interfaces (each on separate routers). We essentially have 4 departments (subnets) that share the bandwidth, and whenever total bandwidth hits over 90% on either interface, we want an alert triggered along with a corresponding snapshot report to show us which subnets are using the bandwidth (in %) in descending order so we can alert the appropriate network admin of the high utilization. We are not interested in seeing individual host IP addresses. Is this possible?

      I've spoken with a few engineers there and the answer went from "yes, it's pretty simple" to "you'll need to get with one of your SQL developers as this will take a minimum of a few hours to sort out". This is the busiest time of the year for our small department and me being a new guy here, I don't want to saddle someone with hours of wading through this only to figure out that it can't be done. Thank you for your time.

        • Re: NTA - High Bandwidth Alert Report Grouping % Use by Subnet - Is this possible?
          jrouviere

          It does seem simple on the surface. I'm using "High Transmit Percent Utilization with Top Talkers" as a template alert.

           

          You could use the default Transmit/Receive alerts as templates, or likely change the metric to "Total Average percent Utilization" if that matches the data you're seeing.

           

          That should handle your trigger.

           

          I can't find a satisfactory way to get the URL to do what I want at the moment, but I found an older post about customizing the alert URL to link to the Interface:

           

          Re: NTA4.4 Top Talkers

           

          "https://YOURSERVER/Orion/TrafficAnalysis/NetflowInterfaceDetails.aspx?NetObject=NI:${N=SwisEntity;M=InterfaceID};T:Last%2024%20Hours;FD:Both"

           

          What you could do (and probably should do in any case if you haven't already) is create a resource like Top XX Destination IP Address Groups. Presuming that you've put these subnets into their own NTA groups as well.

           

          Then using the above URL, that could be it, but there are other options that I would see as more complicated.

           

          You could try to create a report to capture the general utilization from these groups and link that URL, but it would be dynamic as you load the report usually.

           

          You could try to put in variables for the utilization for each subnet into the alert, but they wouldn't sort.

           

          Doing it all in one go (having all four subnets available and then sorting, etc) brings a script to mind which feels like overkill, but something we do on the regular for other tasks.

           

          Finally, if you were wanting to dynamically alert the responsible technician that's where it would get complicated. You would likely need to involve some custom properties and queries to try to return that information.

           

          Some of this might be a little off the rails as I can't fully test this in my environment at the moment. I believe there's an option to attach the results as a pdf, or maybe the e-mail a web page already does that, but I haven't been able to find explicit confirmation, just passing mentions.

          • Re: NTA - High Bandwidth Alert Report Grouping % Use by Subnet - Is this possible?
            mesverrum

            So there are probably lots of ways to attack this, but this is how I'd make it happen.

            First, build out a collection of NTA IP Address Groups to label all my subnets that I care about.

            yourserver/Orion/TrafficAnalysis/Admin/NetflowIPAddressGroupsEdit.aspx?WebId=ManageIpGroups

             

             

            I have lots defined already, building these might be the most tedious part for you if you have many to do.  Make sure to hit the submit at the bottom when you get done otherwise all your work will be wasted, I often forget to submit changes to this screen.

             

            Next, make sure my Netflow Interface Details page contains the widget Top XX IP Address Groups, if its not on that view then add it.  From that view click the widget and it will take you to the "detached resource" link to that widget specifically.  Looks like this in my case:

             

            http://myserver/Orion/DetachResource.aspx?ViewID=80&ResourceID=1854&NetObject=NI%3a78

             

            Just throw that on the clip board for now.

            Now, take the interfaces I cared about for this alert and tag them with some kind of custom property, in this case I'm just using the Comments property for demonstration sake.

            Set up an alert that's looking for interfaces with that custom property, that are also above their critical threshold for rx or tx bandwidth utilization.

             

             

            Set up your logic how you want, but this works for me.  Then when you get to the alert actions part you should use the Email a Web page option and in the field where it asks for the URL you need you should paste in that URL we copied before.  The last numbers after the %3a are the interface ID of the interface I want to look at, so i just deleted everything after that and replaced it with the variable for "whatever interface triggers my alert."  You can look up the variable using the "Insert Variable" button here if you want, but here's what it will look like:

             

            http://myserver/Orion/DetachResource.aspx?ViewID=80&ResourceID=1854&NetObject=NI%3a${N=SwisEntity;M=InterfaceID}

             

            Your viewid and resourceid are likely to be different, so you have to copy most of this the link string from your environment, mine won't work for you.

             

            Then you just make sure to populate the web server auth section with an account that has login permission for Solarwinds, make the alert message however you like.  Mine looks like this:

             

            Now you can simulate that alert to make sure you didn't typo anything, if you did it right you will get a message in your inbox with a pdf screenshot of the top ip address groups on that interface at the time the alert fires.

             

            Mine looked like this when I was done mocking this example up.

             

            -Marc Netterfield

                Loop1 Systems: SolarWinds Training and Professional Services