cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

mass acknowledge alerts

Jump to solution

using ESM 9.5 is it possible to mass acknowledge alerts?

1 Solution

Accepted Solutions
Highlighted
Level 12
Report Inappropriate Content
Message 3 of 7

Re: mass acknowledge alerts

Jump to solution

hi,

1. click on Alarms (top right)

2. shift + klick on your Alerts

3. click on menu (top left in this view)

4. Toggle acknowledged

View solution in original post

6 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 7

Re: mass acknowledge alerts

Jump to solution

define "alerts" please.

Highlighted
Level 12
Report Inappropriate Content
Message 3 of 7

Re: mass acknowledge alerts

Jump to solution

hi,

1. click on Alarms (top right)

2. shift + klick on your Alerts

3. click on menu (top left in this view)

4. Toggle acknowledged

View solution in original post

Re: mass acknowledge alerts

Jump to solution

If by "acknowledge alerts" you mean "mark events as reviewed," you can bulk-select events in your view (say, from a view containing all events from a particular data source) using either Shift or Ctrl to select multiple consecutive or non-consecutive events, respectively.  Then, from the Menu dropdown, select Mark as reviewed > Selected.

mcafee_img.png

Highlighted

Re: mass acknowledge alerts

Jump to solution

it is the alarms from the bell icon on the top right. second answer was what i was looking for. only it is still limited by the amount of alarm on one page.

Highlighted
Level 9
Report Inappropriate Content
Message 6 of 7

Re: mass acknowledge alerts

Jump to solution

boneyard,

  I don't have my notes handy but I think you can do this via command line. I'll reply back tomorrow with a database command that you can try and modify to do what you need.

Highlighted
Level 9
Report Inappropriate Content
Message 7 of 7

Re: mass acknowledge alerts

Jump to solution

boneyard,

To get into the database on the ESM

nsql /usr/local/ess/data/connect_esm.sql

DISCLAIMER::  Please run any of the below at your own risk.  We used some of this pre-production to clear things out from testing.

## to show columns triggeredalarm table

show columns from triggeredalarm

"This will dump out the columns and give you things to use in your search for conditions"

FROM MY NOTES:::

##### Delete Alarm in bulk

delete from triggeredalarm where triggerdate < '09/13/2014 00:00:00'

#### acknowledge alarms in bulk, make sure you confirm the userid number

update triggeredalarm set status=1, ackdate='10/02/2014 00:00:00', ackuserid=15 where triggerdate < '09/30/2014 00:00:00'

CASE MANAGEMENT

## This opentime logic can go eith way <  or >

update casemgt set status=2, closetime='11/27/2013 18:10:48.000' where opentime < '08/12/2013 16:10:36.000'

## To check how many are not closed

select count  (*) from casemgt where status <> 2

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community