Based on How to produce an alert invocations report?
index=_audit action=alert_fired doesn't seem to show private alerts that got fired. Does it make sense?
@richgalloway, it was because the alert didn't have the Add to Triggered Alerts action at What does the Add to Triggered Alerts action do for an alert?
View solution in original post
@danielbb please convert your comment to an answer n accept it as it has resolved your issue 🙂
Perhaps because the alert is private? Perhaps because _audit leaves something to be desired.
Have you looked in _internal for the information you seek?