Orion Alerting: Why all and any are good, but none—not so much

Orion’s Advanced Alert Engine is a powerful way to set up alerts on possible events in your network.  A big part of what makes it so powerful is the ability to create a wide variety of logical statements via the user interface.  So if you want an alert when a node goes down, but not if that node is named Stan, Kyle, or Cartman, then you can set up a trigger condition that will evaluate each down node and if it matches your conditions, the alert is fired.  If not, then it lets the event pass without a remark. 

What’s happening on the back end of the advanced alert engine is that it’s running a SQL Query.  The trigger condition that you create is actually generating that SQL Query.  The alert engine then executes that query every X minutes, and if it evaluates to true, it fires.

One thing that sometimes trips up users is the way the trigger conditions are constructed.  Each trigger has at least one Condition Group.  The Condition Group is a set of statements that are evaluated together.  Each Condition Group has one of the following logical operators that define how the different statements are treated:  All, Any, None, and Not All.

All and Any are fairly straightforward.  All roughly means “AND”.  If I say,

Trigger if all of the following are true:

Node is Down

Node Name is Kenny

then the whole statement is true only when a node named Kenny is in a Down state. 

Any roughly means “OR”.  If I say

Trigger if any of the following are true:

Node is Down

Node is Warning

then the whole statement is true if a node is in a Down or Warning state.  My recommendation to users is that you stick to All and Any.  They are simple, and I can’t think of a logical statement that you cannot accomplish using all or any.

What about None or Not All?  What do they mean, and why did you include them if you don’t think we should use them?  Well, second part first.  We included them because the control that the advanced alert engine uses to turn your statements into SQL Queries is something we license, and it came with all four logical operators, even though we only wanted two of them. 

What do they mean?  None is roughly the same as saying “not any” or “not a single one”.  If you have a series of statements where None is the operator then the engine will look at each statement under it and if any of those individual statements is true, it will construe the whole Condition Group as false.

Trigger if none of the following are true:

Node is Up

Node Name is Chef

This alert will trigger when node is in any state other than up, unless the node is named Chef.  Note that you could just as easily create an alert with an all that accomplishes the same thing:  Node is not Up and Node Name is not Chef. 

Finally, Not All is roughly the same as saying “at least one is false”.

Trigger if not all of the following are true:

Node is Up

Node Name is Chef

With the logical operator changed, this alert will now trigger any time a node is in any state other than up, but it will also trigger if the node name is anything other than Chef, which would make this alert pretty much useless.

There’s a more formal and detailed explanation in the Orion Admin Guide called Understanding Condition Groups.  My advice is stick to All and Any.  Every time I’ve seen anyone try to use None or Not All, they get unexpected results and end up more frustrated than satisfied.   

Denny