Convert SWQL to Datadog: Interfaces Over 80% Utilisation

By NetMon Hub Editorial · 30 May 2026

SolarWinds swql → Datadog datadog-metrics fidelity: approximate

Intent: List interfaces currently running above 80% inbound or outbound utilisation.

Same intent; real differences in data or granularity — read the caveats.

This is a good example of why monitoring-tool migration is never copy-paste. The two queries express the same intent but run against fundamentally different data models.

Source — SolarWinds (SWQL)

SELECT n.Caption AS Node, i.Name AS Interface, i.InPercentUtil, i.OutPercentUtil
FROM Orion.NPM.Interfaces i
JOIN Orion.Nodes n ON i.NodeID = n.NodeID
WHERE i.InPercentUtil > 80 OR i.OutPercentUtil > 80

SWQL reads a relational snapshot: InPercentUtil is a pre-computed, last-polled column on the interface row. One query, point-in-time answer.

Target — Datadog

# threshold expressed against the SNMP profile's utilisation metric:
avg(last_5m):snmp.interface.in_utilization{*} by {device,interface} > 80

Datadog has no interface table to SELECT from. It stores tagged time-series metrics collected by the SNMP integration. You don’t query a row — you define a monitor over a metric, grouped by the device and interface tags, evaluated across a time window.

Why this is approximate, not exact

• No point-in-time row. Datadog evaluates over a window (last_5m), so behaviour differs from SWQL’s single-poll value — generally an improvement, but not identical.
• Metric availability depends on the SNMP profile. A ready-made in_utilization metric only exists if the device’s SNMP profile computes it; otherwise you derive it from ifHCInOctets and ifSpeed yourself.
• Tag names vary by integration version and your config (device/interface vs snmp_device).
• In vs out. Reproducing SWQL’s IN OR OUT means either two monitors or a formula combining in_utilization and out_utilization.

Migration takeaway

Translate the intent, not the syntax. Map “what question am I answering?” to the target tool’s idioms, then validate against real data before you decommission the old alert. See the source-side SWQL example for the original in context.