Create an "Active Alerts" view based only on critical alerts

Not natively, but you can create a report using SWQL that should meet your needs:

SWQL - Active Alerts Report

To limit by severity to only Critical alerts, try this: (note the addition of line 19)

SELECT
  o.AlertConfigurations.Name AS [ALERT NAME]
  ,'/Orion/NetPerfMon/ActiveAlertDetails.aspx?NetObject=AAT:' + ToString(o.AlertObjectID) AS [_LinkFor_ALERT NAME]
  ,o.EntityCaption AS [ALERT OBJECT]
  ,o.EntityDetailsURL AS [_LinkFor_ALERT OBJECT]
  ,o.RelatedNodeCaption AS [RELATED NODE]
  ,o.RelatedNodeDetailsURL AS [_LinkFor_RELATED NODE]
  ,ToLocal(o.AlertActive.TriggeredDateTime) AS [ALERT TRIGGER TIME]
  ,o.AlertActive.TriggeredMessage AS [ALERT MESSAGE]
  ,CASE
  WHEN o.AlertConfigurations.Severity = 1 then 'Critical'
  WHEN o.AlertConfigurations.Severity = 2 then 'Serious'
  WHEN o.AlertConfigurations.Severity = 3 then 'Warning'
  WHEN o.AlertConfigurations.Severity = 4 then 'Informational'
  WHEN o.AlertConfigurations.Severity = 5 then 'Notice'
  END AS [Severity]
FROM Orion.AlertObjects o
WHERE o.AlertActive.TriggeredMessage <> ''
AND o.AlertConfigurations.Severity = 1
ORDER by o.AlertActive.TriggeredDateTime DESC

And please go vote on this Feature Request to have all of this functionality added to the native resource:

Thanks!

-ZackM

Loop1 Systems: SolarWinds Training and Professional Services

• LinkedIN: Loop1 Systems
• Facebook: Loop1 Systems
• Twitter: @Loop1Systems

<EDITED TO UPDATE TIMESTAMP TO LOCAL INSTEAD OF UTC>

Thanks for the help! It worked great. I added a vote on the feature request page, so hopefully it will be easier to accomplish this in the future.

Thanks so much for this!

I'm trying to modify this to only return alerts of critical severity AND from the past 24 hours.

I tried modifying the last lines of the query to filter for the difference between the trigger time and current date is less than 1, any idea where I may be making a mistake? Thanks

WHERE o.AlertActive.TriggeredMessage <> '' 

AND o.AlertConfigurations.Severity = 1

AND DayDiff(AlertActive.TriggerDateTime, getdate())<1

ORDER by o.AlertActive.TriggeredDateTime DESC

I'm trying to use this query, but it looks like the severity doesn't quite match up.

Because making the numbers progress the same as the UI would be too simple , try this

1.   ,CASE
2. WHEN o.AlertConfigurations.Severity = 2 then'Critical'
3. WHEN o.AlertConfigurations.Severity = 3 then'Serious'
4. WHEN o.AlertConfigurations.Severity = 1 then'Warning'
5. WHEN o.AlertConfigurations.Severity = 0 then'Informational'
6. WHEN o.AlertConfigurations.Severity = 4 then'Notice'
7. ENDAS [Severity]

Thanks, that did the trick.

two more questions if you don't mind.  I'm trying to add a AND not acknowledged to this.  Do you know what the o.Alert(whatever) is?  Also where does everyone go to see a list of all these database objects?

o.AlertActive.AcknowledgedBy is not null

And to answer your second question, it is important to note that SWQL is actually an abstraction layer between the tool and the database, so there isn't exactly a 1 to 1 relationship between how things are laid out in swql and how they are in the database.  With that said, the best way to see how to build these queries is to download the SDK from the Solarwinds Github Releases · solarwinds/OrionSDK · GitHub

-Marc Netterfield

    Loop1 Systems: SolarWinds Training and Professional Services

•                 LinkedIN: Loop1 Systems
•                 Facebook: Loop1 Systems
•                 Twitter: @Loop1Systems

I'm using this swql query but I'd like to add an Acknowledged "YES" or "NO" and whom/who acknowledged the alert.  My swql fu is lacking and I look fwd to your reply.

Thx