Orion Alert Engine

Last updated: 2026-05-24

The Alert Engine is the part of the Orion Platform that evaluates alert conditions, manages alert state, and fires alert actions. PocketNOC reads alert state from here via SWIS.

What it is

The Alert Engine is the subsystem of the Orion Platform that evaluates alert conditions and fires alert actions. Every Orion module (NPM, SAM, NTA, etc.) writes its observations into a shared database, and the alert engine queries that database on a polling interval to decide whether any alert conditions are currently true.

This is the "is it actually broken" layer of Orion. Without it, you have a system that polls everything and shows it on dashboards but never tells anyone when something is wrong.

How it works

An alert is a rule with three parts:

1. Trigger condition — a SWQL query that returns rows when the alert should fire. E.g. "all nodes where Status = Critical."
2. Reset condition — when the alert should clear. Usually the inverse of the trigger.
3. Actions — what to do when the alert fires. Send email, write to a log, POST to a webhook, run a script, page on-call via a tool like OnPage or PagerDuty.

The alert engine evaluates triggers on a configurable interval (default 60 seconds) and tracks alert state per affected object — active, acknowledged, suppressed, reset. State transitions drive the actions.

What you see in PocketNOC

PocketNOC's Alerts screen reads alert state directly from the Orion alert engine via SWIS. What you see in PocketNOC is exactly what's currently active in Orion — the same alert engine, same state, same acknowledgment flow.

When you acknowledge an alert from PocketNOC, the app writes the acknowledgment back through SWIS to the alert engine, which updates state and stops sending further actions for that alert. If your team has email notifications configured, acknowledging in PocketNOC means email stops landing for that alert.

Configuration is still done in the Web Console

PocketNOC reads alert state; it does not let you create alerts, edit thresholds, or modify alert actions. That work happens in the Orion Web Console under Alerts & Activity → Alert Manager.

See also

• SWIS API — how PocketNOC reads alert state.
• SWQL — the query language alert triggers are written in.
• PocketNOC vs OnPage — comparison with a dedicated paging tool that often integrates with the alert engine.