Customizing SolarWinds for Efficient Network Management

Who we are: We are a subsidiary of McKesson We process pharmacy claims transactions real time 4.8 Billion transactions first quarter. Using SW since 2007 for network implemented SAM about a year ago approximately 500 systems approximately 400 network devices 3 separate Orion implementations (2 small)

Custom Alerts, SQL and CPs SolarWinds has a very powerful suite of tools. While it is very useful right out of the box, so much more can be done with it to fit your environment/needs using: Custom Properties Custom Alerts SQL get to know the DB Discuss some of our thoughts in these areas Examples

Alert levels paradigm informational vs. actionable InfoSW reports (no emails, no action expected at time of alert) WarningSW Email goes out - as soon as you can (ticket?) CriticalSW operations calls on-call regardless of time. [TEST] testing logic/changes

Custom Properties are at the core of customizing your environment. Alerting and custom properties go hand in hand. Do a needs assessment: Who is/are the consumer(s) of the alert? Engineers Ops Mgmt What is the purpose of the alert for your environment? Simple notification Simplify troubleshooting efforts Let Ops know so they can call on-call Escalation steps do they make sense for your environment

Custom Properties Emails Mute vs. UnManage Realm Dept BusinessHours (bit) CyclesToDelayDownAlert

CPU unless mcshield Create component check mcshield.exe InfoSW for process (mcshield.exe) This allows it to generate an alert but not actionable so we can check the alerts table for its existance. AND NOT EXISTS (select * FROM RH_HCOpsAlerts where ObjectName='mcshield.exe InfoSW' and NodeID=Nodes.NodeID)

Critical Alerts Ops must ack before it clears JOIN AlertObjects o WITH(NOLOCK) on ('AM:'+CAST(APM_AlertsAndReportsData.ComponentID as nvarchar)=o.EntityNetObjectId) JOIN AlertActive aa WITH(NOLOCK) ON (o.AlertObjectID=aa.AlertObjectID and TriggeredMessage like '%CriticalSW%') JOIN AlertHistory a WITH(NOLOCK) on (o.AlertObjectID=a.AlertObjectID and a.EventType in (0,2)) JOIN Nodes n WITH(NOLOCK) ON (APM_AlertsAndReportsData.NodeId=n.NodeID) JOIN APM_ApplicationCustomProperties cp WITH(NOLOCK) ON (APM_AlertsAndReportsData.ApplicationId = cp.ApplicationID) WHERE ( n.MuteNode <> 0 OR cp.MuteApp <> 0 OR APM_AlertsAndReportsData.ComponentStatus NOT IN ('Critical','Down') ) AND a.AlertActiveID IN (select top 1 AlertActiveID from alerthistory where alertobjectid=o.AlertObjectID order by alertobjectid, alertactiveid desc) AND -- Prod Critical Ticket Entry (CASE WHEN (ISNULL(cp.realm,n.realm) ='Production') THEN CASE WHEN (a.[Message] like '%[0-9][0-9][0-9][0-9][0-9]%' and a.EventType IN (2)) THEN 1 ELSE 0 END ELSE 1 --Clear b/c not production END )=1

Business Hours Alert Logic (CASE WHEN (Nodes.BHOnly=1) THEN CASE WHEN DATEPART(hh,GETDATE()) BETWEEN 7 AND 19 AND DATEPART(dw,GETDATE()) BETWEEN 2 and 6 THEN 1 ELSE 0 END ELSE 1 --trigger b/c not BHOnly END )=1

Delay Down Alert for a Number of Cycles AND acp.CyclesToDelayDownAlert <> 0 AND APM_AlertsAndReportsData.LastTimeUp < DATEADD(SECOND, -(acp.CyclesToDelayDownAlert * (SELECT val=CASE WHEN apps.[Key]='__Frequency' THEN apps.value ELSE isnull(ats.Value,'300') END FROM APM_AlertsAndReportsData ard JOIN APM_Application a WITH(NOLOCK) ON (ard.ApplicationID=a.ID and ard.ComponentID=${N=SwisEntity;M=ID}) LEFT JOIN APM_ApplicationSetting apps WITH(NOLOCK) ON (apps.ApplicationID=a.Id and LEFT JOIN APM_ApplicationTemplateSetting ats WITH(NOLOCK) ON (a.TemplateID=ats.ApplicationTemplateID and ats.[Key]='__Frequency' ) ) ), GETDATE() ) apps.[key]='__Frequency')

Ticketing System Integration TicketEmail dropdown Warning Alerts Dept SSL Certificate Expiring (if time) Engineer assigned expiration date install date