Alerting with influxQL using variables

codi639 · February 20, 2024, 9:01am

I’ve read this topics, which is giving a lot of good advice, but using the Flux language.

Is there a way to create alerts with influxQL? I’m a neewbie and, although I can create alerts with simple queries, I can’t get it to iterate with different variable values.
For example, I’d like to create an alert that’s triggered if one of my routers reboots, testing whether the uptime is less than 20 seconds. I can do this with this request:

SELECT sysUpTime as UpTime FROM snmp WHERE agent_host =~ /^10.211.0.2$/ AND time > now() - 1m

Using this test:

But something like this will not work:

SELECT sysUpTime as UpTime FROM snmp WHERE agent_host =~ /^10.211.0.2$/ AND time > now() - 1m

I’ve read about using labels to address query result, but didn’t get it…

Furthermore, even after reading the documentation on Grafana alerts, I couldn’t figure out how to configure an alert on several panels…

Best regards

grant2 · February 20, 2024, 10:35am

Hi @codi639

Does the above quoted query work in a regular Grafana panel (not alerting)? If yes, can you share the results?

codi639 · February 20, 2024, 10:42am

There you go with using the variable routerIP:

SELECT last(sysUpTime) FROM snmp WHERE agent_host =~ /^$routerIP$/ AND time > now() - 1m

And with the static IP:

SELECT last(sysUpTime) FROM snmp WHERE agent_host =~ /^10.211.0.11$/ AND time > now() - 1m

This is, of course, converted result. There’s the “original” result; which is the number in seconds:

grant2 · February 20, 2024, 10:49am

And the same query in the alerting section (A) plus B: Reduce and C: Threshold gives an error message or just no results?

codi639 · February 20, 2024, 11:09am

I have this error (which does not appear every time I press preview):

with this graphic:

with this conf:

And if I apply the modifications, I can see my firing alert message:

grant2 · February 20, 2024, 5:33pm

If you used the query above without the regex and in an alert, like this (my syntax is probably wrong)…

SELECT sysUpTime as UpTime FROM snmp WHERE agent_host = '10.211.0.2' AND time > now() - 1m

…then do you get any errors? In other words, is the query in the alerting section giving errors when it contains the regex, but otherwise works fine without the regex?

Just trying to understand the problem better.

codi639 · February 21, 2024, 7:42am

If you use the regular expression =~, the query expects a parameter of type /^something$/ to exactly match the value ‘something’. The same applies to =, but without ‘match exactly’: only if the value is the same as ‘something’. I was using this syntax to iterate through my variable, but if you prefer, we can use the simpler syntax for testing.
So no, I don’t have any errors with the query (and your syntax is good!):

SELECT sysUpTime as UpTime FROM snmp WHERE agent_host = '10.211.0.2' AND time > now() - 1m

By the way, I’ve tried to setup an alert on a different panel which worked well (without iterating trough any variables). My problem seams to be that we can not setup alerts on non graph or timeseries panels: The alert tab and alert annotations are only supported on graph and timeseries panels.

grant2 · February 21, 2024, 11:03am

Hi @codi639 and thanks for the further explanation.

In your query A of the Alerting section, you are using this query…

SELECT sysUpTime as UpTime FROM snmp....

and not this one, right?

SELECT last(sysUpTime) FROM snmp....

Going back to your desire to get the multidimensional alerting working, the end result is to get something like this where you can see which agent_host(s) have sysUpTime below 20, right? In other words, a view like this (but with the agent_host instead of cpu), right?

For now, just to get things working, can you remove the regex and insert three possible values for agent_host using a format like this?

WHERE ("fueltype"::tag =~ /(Wind|Hydro|Nuclear)/

codi639 · February 21, 2024, 11:36am

Well yeah that’s the objective!
And yeah sorry, I made to much test and send you the wrong query, I’m using it without the last() function.

Trying with this query:

SELECT sysUpTime FROM snmp WHERE ("agent_host"::tag =~ /(10.211.0.2|10.211.0.3|10.211.0.4)/)

where the 3 addresses are real ones, of course.
returns me:

And nothing as well on the alert rules panel:

I’ve also tried to do multiple queries but didn’t find how to setup multiple alert condition or configure the alert condition to test every queries.