You can do this with a custom query. It's a little kludgy because you are going to join a table that doesn't matter, but stick with me.
The core of the query is getting the count of alerts.
First, you HAVE to know the name of the alert before you start.
For this example, we'll say the alert is named "ECKY_ECKY_ECKY_FTANG".
Second, you have to know the ONE alert trigger action you are looking for. If an alert has multiple actions (Log to NetPerfMon log, send email, etc) then you'll get skewed results
We'll assume that every alert has one (and only one) action to write to the eventlog, an action type called 'NPMEventLog'
You need to query two tables - AlertDefinitions, which gives you the alert name, and AlertLog, which gives you the list of alerts that have triggered.
select alertdefinitions.alertname, alertdefinitions.description,
alertlog.logdatetime, alertlog.actiontype
from alertdefinitions
join alertlog on alertdefinitions.AlertDefID = alertlog.AlertDefId
where AlertDefinitions.AlertName = 'ECKY_ECKY_ECKY_FTANG'
and alertlog.ActionType = 'NPMEventLog'
This will give you a list of ALL of the alert and alert actions associated with the alert "ECKY_ECKY_ECKY_FTANG". I've added a few additional fields (LogDateTime, ActionType, etc) so you can see what's going on and what you are actually getting.
Next, you want to limit the time:
select alertdefinitions.alertname, alertdefinitions.description,
alertlog.logdatetime, alertlog.actiontype
from alertdefinitions
join alertlog on alertdefinitions.AlertDefID = alertlog.AlertDefId
where AlertDefinitions.AlertName = 'ECKY_ECKY_ECKY_FTANG'
and alertlog.LogDateTime > dateadd(hour,-1,getdate())
and alertlog.ActionType = 'NPMEventLog'
The new line looks at alerts named "ECKY_ECKY..." that have triggered between NOW and 1 hour ago. If you want different time frames, look up the SQL "DateAdd" comment for other options.
Now we're going to tighten up the query so that ALL we are getting is a count of tickets:
select count(alertdefinitions.alertname) as alertcount
from alertdefinitions
join alertlog on alertdefinitions.AlertDefID = alertlog.AlertDefId
where AlertDefinitions.AlertName = 'ECKY_ECKY_ECKY_FTANG'
and alertlog.LogDateTime > dateadd(hour,-1,getdate())
and alertlog.ActionType = 'NPMEventLog'
Now normally, we could just wrap this into a cute little piece of logic that would ONLY return a record if the count was more than <whatever> (let's say 10).
select *
from (
select count(alertdefinitions.alertname) as alertcount
from alertdefinitions
join alertlog on alertdefinitions.AlertDefID = alertlog.AlertDefId
where AlertDefinitions.AlertName = 'ECKY_ECKY_ECKY_FTANG'
and alertlog.LogDateTime > dateadd(hour,-1,getdate())
and alertlog.ActionType = 'NPMEventLog') a1
where a1.alertcount > 10
However, the challenge with SolarWinds is that there's no alert category that lets us directly query the alert table. But that's OK, we can do a fakeout:
- Open a new query
- Set the trigger type to Custom SQL
- Set the trigger sub-type to Node
- You will automatically get the following lines added for you:
Select Nodes.NodeID as NetObjectID, Nodes.Caption as Name
From Nodes - In the box below, you will add the following code:
join (select count(alertdefinitions.alertname) as alertcount
from alertdefinitions
join alertlog on alertdefinitions.AlertDefID = alertlog.AlertDefId
where AlertDefinitions.AlertName = 'ECKY_ECKY_ECKY_FTANG'
and alertlog.LogDateTime > dateadd(hour,-1,getdate()) )
and alertlog.ActionType = 'NPMEventLog')
a1 on Nodes.NodeID = 1
where a1.alertcount > 10
What you will get back (if there are 10 alerts in the last hour) is the NodeID and Caption for whatever the first node in your environment is. You're not going to actually USE that node's information, but that's what you are actually getting back.
Your trigger action is going to be fairly hard-coded - an email or message that says "More than xx alerts have triggered in the last hour!). But you'll have the alert you are looking for.
Clik here to view.