Recently we upgraded to NPM 10.6, and for the longest time we've wanted to have some sort of report to show only acknowledged alerts. The idea was that the report could be ran daily to show the currently ack'ed alerts that have been so for longer than a few days, and a supervisor could check in with the team member to see what the progress is, or why the alert has been acknowledged for so long without being cleared. This has been something of an issue for us, as acknowledged alerts lose a lot of their visibility even to those who acknowledged it and then let it slip their minds.
This is the SWQL I came up with:
SELECT Nodes.Caption AS [Name], AlertDefinitions.Name AS [Alert Name], tolocal(AlertStatus.TriggerTimeStamp) AS [Alert Time], tolocal(AlertStatus.AcknowledgedTime) AS [Acknowledged Time], AlertStatus.AcknowledgedBy AS [Acknowledged By], AlertStatus.Notes FROM Orion.AlertStatus INNER JOIN Orion.Nodes ON AlertStatus.ActiveObject = Nodes.NodeID INNER JOIN Orion.AlertDefinitions ON AlertStatus.AlertDefID = AlertDefinitions.AlertDefID WHERE Acknowledged = '1' AND DayDiff(AlertStatus.AcknowledgedTime, getdate())>2
This results in the following output:
|Name||Alert Name||Alert Time||Acknowledged Time||Acknowledged By||Notes|
|ComputerName||High RAM Utilization||9/27/2013 10:27:48 AM||9/27/2013 11:02:08 AM||DOMAIN\Username- Orion Website||Acknowledged:Acked for testing of Orion's reporting functionality.|