Usually when troubleshooting alerts, I go back into the DB and look at the query that the alert editor wrote for me. Quite often I find that the sql doesn't match what I intended it to do.
To find the sql queries for alert triggers use this sql:
- select alertname,triggerquery from alertdefinitions;
Then go find your alert by name and grab the triggerquery column and study it.
Once you've got the query, you can safely execute it by hand without worrying about it tripping anything.
This is also useful when building new alerts. Once you've designed the trigger, leave the alert disabled. Orion will still generate the query in the db and you can study it before letting it loose.
Side note:
I've written > 1000 lines of php code to do this for me automagically. It extracts alerts from the database and does an "evaluation" of them to determine what Orion targets the alert "could" trigger against and then lists the possible targets.
It's surprising how many times I still write alerts that trip on too many / too few / wrong things.
I do eventually plan to share the code but (like everyone else) I'm a little busy these days.
Chris