I do something similar to the following as a search workflow action (after I've created the initial look up table):
index=_audit action=alert_fired sid=$sid$
| fields + sid
| eval alarm_status="acknowledged"
| inputlookup append=true alarm_lookup
| outputlookup alarm_lookup
This appends the current acknowledged alert to the look up table and then I have two separate search queries, one that searches for all action=alert_fired NOT alarm_status="acknowledge" and a second action=alert_fired alarm_status="acknowledged". This gives me my new errors as well as the acknowledged errors.
I'm not a huge fan of using the look up table and would prefer to have someway to tag events after they've been ingested. The other issue I've run into is the ability to bulk acknowledge, if I suddenly receive 100 alarms I have to acknowledge each one individually.
... View more