Alert rule - purpose of query and builder

Help
1

Hello!

I’m trying to create an alert rule that would copy the “Devices unpolled” frontend message’s functionality, so that I would be notified by transport instead of a message in frontend.

I was wondering, how are the alert rules processed, in particular, what is the purpose of builder and query entries in the database?

For example, I have an array of alert rules from previous versions of LibreNMS where builder field is completely empty - they work fine. This may indicate that builder is not necessary at all in order to process an alert rule.
Knowing this, I try to create an alert rule with the same query as frontend does:
SELECT * FROM devices WHERE last_polled <= DATE_ADD(NOW(), INTERVAL - 15 minute) AND ignore = 0 AND disabled = 0 AND status = 1;
This one fires for every device I have, which is logical - there are 4 unpolled devices in my network and every poller processes finds a match, mapping an alert to a device it has polled. Guessing if it is possible to resolve with builder criteria, but I lack understanding what is it used for…

Would be grateful for any hints on how to proceed with the particular case and explanation on builder and query of the alert rule.

Regards,
Oleg

2

You should share your actual rule you’ve created.

The builder column is the native format the webui to use. The query is the full mysql query we generate which is then run to see if the rule matches any data.

3

Hello @laf, thank you for your reply!

Here is how the alert rule looks like in web frontend:

Here is how the alert rule looks like in database:

    rule:
severity: critical
   extra: {"mute":true,"count":"-1","delay":"0","invert":false,"interval":300,"recovery":true}
disabled: 1
    name: test_unpolled_device
   query: SELECT * FROM devices WHERE (devices.device_id = ?) AND devices.last_polled > "15m" AND (devices.status = 1 && (devices.disabled = 0 && devices.ignore = 0)) = 1
 builder: {"condition":"AND","rules":[{"id":"devices.last_polled","field":"devices.last_polled","type":"datetime","input":"text","operator":"greater","value":"15m"},{"id":"macros.device_up","field":"macros.device_up","type":"integer","input":"radio","operator":"equal","value":"1"}],"valid":true}
    proc:

I’m using distributed polling (the experimental one), if this matters.

Regards,
Oleg