Conditional Alert Recovery

Hello!

I am using the following alert to monitor 4G WAN backups when they go down.

SELECT * FROM devices,syslog
WHERE (devices.device_id = ? AND devices.device_id = syslog.device_id)
AND syslog.msg REGEXP “.WWAN1_GW\\\’ is Down.”

When a 4G backup goes down, it generates 1 syslog message containing “WWAN1_GW is Down” The alert works fine, but our issue is when the 4G module comes back up, these down alerts stay around.

I thought about using the syslog.timestap to recover alerts that are older than a given time, but this would clear alerts where the 4G module is still down.

When the 4G module comes back up, a syslog message is generated stating that it is up. Is it possible to have the alert recovery be conditional based on if it sees a new syslog message stating the 4G module is back up? I assume there might be other ways to achieve the same functionality.

Thanks in advance!

I expect you might be able to do some crazy multi select based on the two values you’re looking for of down and up in one query but have it looking for a down entry with no up, that way the rule will trigger until it sees the up message and clear.

Write a MySQL query that does what you want then use that in the advanced section of the rule.