Recently we upgraded to NPM 10.6, and for the longest time we've wanted to have some sort of report to show only acknowledged alerts. The idea was that the report could be ran daily to show the currently ack'ed alerts that have been so for longer than a few days, and a supervisor could check in with the team member to see what the progress is, or why the alert has been acknowledged for so long without being cleared. This has been something of an issue for us, as acknowledged alerts lose a lot of their visibility even to those who acknowledged it and then let it slip their minds.
This is the SWQL I came up with:
SELECT Nodes.Caption AS [Name], AlertDefinitions.Name AS [Alert Name],
tolocal(AlertStatus.TriggerTimeStamp) AS [Alert Time], tolocal(AlertStatus.AcknowledgedTime) AS [Acknowledged Time],
AlertStatus.AcknowledgedBy AS [Acknowledged By], AlertStatus.Notes
FROM Orion.AlertStatus
INNER JOIN Orion.Nodes
ON AlertStatus.ActiveObject = Nodes.NodeID
INNER JOIN Orion.AlertDefinitions
ON AlertStatus.AlertDefID = AlertDefinitions.AlertDefID
WHERE Acknowledged = '1' AND DayDiff(AlertStatus.AcknowledgedTime, getdate())>2
This results in the following output:
Name | Alert Name | Alert Time | Acknowledged Time | Acknowledged By | Notes |
ComputerName | High RAM Utilization | 9/27/2013 10:27:48 AM | 9/27/2013 11:02:08 AM | DOMAIN\Username- Orion Website | Acknowledged:Acked for testing of Orion's reporting functionality. |
Credit to Jan Pelousek for help in figuring out how to convert the times from UDT into Local time, and for showing me the light in how to set up the date differential logic. Though the current Orion SDK (v1.7) does not support the ToLocal() function, NPM 10.6 does.