topic Re: IT Service Intelligence: How to get acknowledged notable events? in Splunk ITSI https://community.splunk.com/t5/Splunk-ITSI/IT-Service-Intelligence-How-to-get-acknowledged-notable-events/m-p/383829#M618 <P>I solved it using:</P> <PRE><CODE>index=itsi_notable_audit acknowledged | join event_id [| inputlookup itsi_notable_event_group_lookup | rename _key as event_id] | join event_id [ search index=itsi_grouped_alerts | rename itsi_group_id as event_id ] | table activity, itsi_group_description, _time </CODE></PRE> Tue, 21 May 2019 14:56:41 GMT sboogaar 2019-05-21T14:56:41Z IT Service Intelligence: How to get acknowledged notable events? https://community.splunk.com/t5/Splunk-ITSI/IT-Service-Intelligence-How-to-get-acknowledged-notable-events/m-p/383828#M617 <P>Is it possible to get a list with itsi acknowledged events?<BR /> I tried to get it based on the status like:</P> <PRE><CODE>index=itsi_tracked_alerts status=2 </CODE></PRE> <P>But I get no results, however when I try:</P> <PRE><CODE>index=itsi_notable_audit acknowledged </CODE></PRE> <P>I will get events like:</P> <BLOCKQUOTE> <P>{ [-] <BR /> activity: admin acknowledged notable event group <BR /> activity_type: Notable Event Group Update <BR /> event_id: 0cb32c45-2203-40e7-884c-73301b9da1e2<BR /><BR /> user: admin } Show as raw text<BR /> But the event_id is specific for the acknowledge action so I can not relate it to which event is acknowledged.<BR /> What I want to do is send an email with the acknowledged events (and the event description) when an event is acknowledged. Therefore im trying to make a savedsearch that gets all acknowledged events.</P> </BLOCKQUOTE> Wed, 30 Sep 2020 00:38:55 GMT https://community.splunk.com/t5/Splunk-ITSI/IT-Service-Intelligence-How-to-get-acknowledged-notable-events/m-p/383828#M617 sboogaar 2020-09-30T00:38:55Z Re: IT Service Intelligence: How to get acknowledged notable events? https://community.splunk.com/t5/Splunk-ITSI/IT-Service-Intelligence-How-to-get-acknowledged-notable-events/m-p/383829#M618 <P>I solved it using:</P> <PRE><CODE>index=itsi_notable_audit acknowledged | join event_id [| inputlookup itsi_notable_event_group_lookup | rename _key as event_id] | join event_id [ search index=itsi_grouped_alerts | rename itsi_group_id as event_id ] | table activity, itsi_group_description, _time </CODE></PRE> Tue, 21 May 2019 14:56:41 GMT https://community.splunk.com/t5/Splunk-ITSI/IT-Service-Intelligence-How-to-get-acknowledged-notable-events/m-p/383829#M618 sboogaar 2019-05-21T14:56:41Z