An active alert has two components:
- the alert definition
- the monitored object (node, interface, etc)
what I do is use the TRAPviewer to tag traps of interest with a key, then use a CUSTOM SQL alert on a NODE like this:
Trigger Condition:
WHERE nodeid IN (SELECT nodeid FROM traps WHERE datetime>Dateadd(hour,-1, Sysdatetime()) and tag='OSPF_IF_CONFIG_ERROR' )
(in this case incoming traps for OSPF_IF_CONFIG_ERROR tags received in the last hour will trigger the alert.)
Reset Condition is:
WHERE nodeid NOT IN (SELECT nodeid FROM traps WHERE datetime>Dateadd(hour,-1, Sysdatetime()) and tag='OSPF_IF_CONFIG_ERROR' )
(aside: do not let the Alert editor 'reverse' the trigger rule for you, it will get it wrong.)
for traps received in the past 10 minutes use datetime>Dateadd(minute,-10, Sysdatetime())