Skip to main content
Solved

Interface admin/operationally down events

  • November 25, 2024
  • 4 replies
  • 3 views
J
Forum|alt.badge.img

OK.  So I'm fairly new to modifying events in SL1, but our NOC has requested that we research suppressing the "Poller: Interface operationally down" event if "Poller: Interface Admin down" is active on a given interface.  That makes perfect sense to me.  If an interface is admin down, then there is absolutely no need for the operationally down event/alert.  Other tools I have administered in the past had this logic baked in out of the box, but that doesn't seem to be the case with SL1.  I looked at using the Autoclear option for the Admin down event to have it clear the operationally down message, but I'd much rather just not have the operationally down event trigger at all if the interface is admin down.

Any thoughts on how to get this configured?  Thank you.

Best answer by ErickBurgess

This is the Idea that is related to this discussion thread.  Please vote for it it if you haven't already. 

https://community.sciencelogic.com/idea/device-management-ideas/when-an-interface-is-placed-in-admin-down-we-dont-expect-alarm-for-oper-status/83

      4 replies

      B
      • BryanHarding
      • Community Manager
      • December 2, 2024

      SL1 event "suppression" is a configuration of event policies such that if this event occurs again on specific device(s), that an active event record will not be created. The conditional if/else logic to which you refer is not a feature of the SL1 event engine whereby an event would only be created based off of the existence, or not, of other active events. 

      SL1 will actively mask events that are newer and equal or less severe generated on the same device in 10min buckets by default (Event Masks). This feature inherently "hides" such event noise from event tables and can be set to be excluded from Run Book Automation. Can you elaborate on what impact or objective you are currently aiming to address by conditionally "suppressing" the operationally down event? What problem(s) or impact is this currently having for your operations?

        J
        Forum|alt.badge.img
        • jbovee
        • Author
        • Contributor
        • December 2, 2024

        By default, the "Poller: Interface Admin down" event has a severity level of Notice (which is appropriate given that condition requires a manual configuration change).  The "Poller: Interface operationally down" event has a severity level of Major.  Any time an interface is administratively brought down, it also brings it operationally down (down/down).  Since the operationally down condition is a higher severity level than the admin down condition, it is not being suppressed.  This is the situation where the operationally down events are essentially causing false positives for our NOC.  They have procedures in place to respond to all operationally down messages (up/down), and the ones being generated due to a network admin administratively bringing down the interface is essentially a big waste of time.  When it comes to interface states, the current logic in SL1 just appears to be flawed.  What we really need is the following:

        Interface up/up = healthy
        Interface up/down = major
        Interface down/down = notice

          M
          Forum|alt.badge.img
          • Mani
          • Contributor
          • October 1, 2025

          Can we use (Admin Down event policy) to be treated as the "healthy" condition that clears another event (Operational Down), so that alarms open when an interface is simply administratively disabled.

            S
            Forum|alt.badge.img
            • Saskia
            • Contributor II
            • January 6, 2026

            Our customers do not want to receive a ticket in ServiceNow for an interface that is admin down. It creates unnecessary work for them to investigate and close these tickets in their eyes.

              Terms & ConditionsAccessibility statement