6 Replies Latest reply: Jun 25, 2013 12:49 PM by netlogix RSS

    Alert Rules

    Farrukh Shami

      Hi all,

           I want to understand the rule mechanisam. I have a network of 5 machines added in NPM.

      a:  172.172.1.1

      b:  172.172.1.2

      c   172.172.1.3

      d:  172.172.1.4

      e:  172.172.1.5

      Now , I want to make different groups to whome the notification will be sent. like there are 2 groups

       

      1:  Network Administrators  (NA)

      2:  Server Administrators     (SA)

      ==========================================================================

      I want "Goes down" notification of server " a, b , c " wil sent to Group (NA)

      while "Goes down" notification of " d,e " will sent to Group (SA)

       

      For this kind of rule what I can create???

        • Re: Alert Rules
          Farrukh Shami

          group A.jpg

          I have created this rule. but it is not trigering any email.

          • Re: Alert Rules
            Leon Adato

            Look at your initial line: "Trigger alert if ALL of the following apply"

            A device that is down cannot have an IP address of 1.2.3.1 AND 1.2.3.2 AND 1.2.3.3

             

            What you mean to say is:

            Trigger alert if ALL of the following apply

                 Node status is equal to down

                 Trigger alert if ANY of the following apply

                      IP Address is equal to 172.172.1.1

                      IP Address is equal to 172.172.1.2

                      IP Address is equal to 172.172.1.3

             

            Try that one out and let us know if it works.

              • Re: Alert Rules
                Farrukh Shami
                adatole

                  • Re: Alert Rules
                    Leon Adato

                    Think about your polling cycles.

                     

                    • SolarWinds polls (pings) every 2 minutes.
                    • If a device fails a ping, Solarwinds sends out one ping every 5 seconds
                    • If a device fails 10 pings in a row, the device is THEN marked as down.
                    • Do you have a delay in your trigger? (You should) That's going to delay the actual alert message further.

                     

                    Let's say that you put a 4 minute delay on your alert trigger. Meaning a device has to be down for 2 polling cycles before you call it officially "down" (this is a good idea, so you don't cut a ton of false alarms)

                     

                    at 12:00 your device goes down

                    worse case, it's 12:02 before SolarWinds pings it for status. this ping fails

                         SolarWinds sends out one ping every 5 seconds.

                    At 12:02:50 , the device is now marked as "down" in Solarwinds

                         your alert trigger says to wait 2 minutes to make sure it's really down

                    at 12:04:50, you finally send out a message

                    if you have any delays in email processing, that could slow things down further.

                     

                    So it's about 5 minutes.

                     

                    Now you can cut down the time by doing the following things:

                    1. Reducing the polling cycle on the device - you can get down to one ping every 10 seconds I believe.
                    2. Reducing the delay for the alert trigger

                     

                    If you did both of those things, you could get down to a 60 second delay between device down and your alert.

                     

                    But my guess is that you would also generate so many false alarms that it would become useless noise.

                      • Re: Alert Rules
                        netlogix

                        One other factor to add is on the first page of your alert, Alert Evaluation Frequency, how often the alerting engine checks for the condition, so after adatole's 12:02:50 you have to add that number - of course this is all worst case.