Solved: IT Service Intelligence: How to get acknowledged n...

sboogaar · ‎05-21-2019

Is it possible to get a list with itsi acknowledged events?
I tried to get it based on the status like:

index=itsi_tracked_alerts status=2

But I get no results, however when I try:

index=itsi_notable_audit acknowledged

I will get events like:

{ [-]
activity: admin acknowledged notable event group
activity_type: Notable Event Group Update
event_id: 0cb32c45-2203-40e7-884c-73301b9da1e2

user: admin } Show as raw text
But the event_id is specific for the acknowledge action so I can not relate it to which event is acknowledged.
What I want to do is send an email with the acknowledged events (and the event description) when an event is acknowledged. Therefore im trying to make a savedsearch that gets all acknowledged events.

sboogaar · ‎05-21-2019

I solved it using:

index=itsi_notable_audit acknowledged 
| join event_id 
    [| inputlookup itsi_notable_event_group_lookup 
    | rename _key as event_id] 
| join event_id 
    [ search index=itsi_grouped_alerts 
    | rename itsi_group_id as event_id ] 
| table activity, itsi_group_description, _time

View solution in original post

sboogaar · ‎05-21-2019

I solved it using:

index=itsi_notable_audit acknowledged 
| join event_id 
    [| inputlookup itsi_notable_event_group_lookup 
    | rename _key as event_id] 
| join event_id 
    [ search index=itsi_grouped_alerts 
    | rename itsi_group_id as event_id ] 
| table activity, itsi_group_description, _time

IT Service Intelligence: How to get acknowledged notable events?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?