Clear alerts table count has exceeded set limit
Last week I got an unfamiliar alert in triage:
%NIC-4-608013: Alerter, Alerter ,-,-,-,Detail: 3680: Clear alerts table count 10004 has exceeded set limit of 10000 executed.
I assume that this is similar to when the Alerter falls behind threshold. My question is, how do I determine that the Clear Alerts Table count is below the limit again? Where can I check this either in enVision or a log? I need to justify before I close it out, and need to put it in a wiki for our NOC.
You will know you are below 10,000 because alerts will appear in the Web UI again after they have been cleared out. The alerts display table only clears out when that threshold is reached.
Time is not a factor. The clearing of the alerts table is based purely on count of events, regardless of whether that takes an hour or a year. It can also reset if the Alerter Service is restarted.
You can fine tune the quantity it takes in the Alert Configuration area on the Set Up Alerter Service page.
So, in theory if you set it to clear after 10,000 rows (default), you should get only one of these messages that you exceeded 10,0000 and the table should clear. I think that the question is, how long will I receive these messages that the count has been exceeded before the table clears.
That I don't know... I've never tested it.
The table usually clears pretty quickly once the threshold is met, so I can't imagine you would get bombarded with these events... unless the system generates a log for each individual alert that is in excess of the threshold number.
Is there a better solution/answer than "it's cleared because alerting is working?"
Is there NIC_system log where I can look to get the exact time the table count reset? I need to put it in a wiki for our NOC. I work in a compliance context, so we have to be specific about what we do when an alert is triggered.
Is there a specific compliance concern here? I am not aware of "Alerts" being lost when the table clears. I am pretty sure that all it does is to clear the Alert History, so that there is better performance in viewing alerts. You can still go back and report on the alerts even after the table is cleared. Maybe I am missing something here?
I'm not sure what you are looking for here.
There is no event that shows exactly how many alerts are currently loaded and active in the console.
The 608013 event (along with 608014) can provide you the exact time that the table was cleared by looking at the timestamp of the event.
No alert is ever lost as it is written to the IPDB. If you need to see alerts once the table has been resynched, you just have to run one of the Alert reports: Network >> System >> Alerts >> New Alerts by Date/Time.