How can I see who closed a bunch of alerts. I was working demoing SCOM and Squared up and suddenly almost all of my critical alerts were closed. I found them and now I need to know who closed them so we can talk to them and keep them from doing the same thing again.
Look for the Resolved By field. Depending on how you’re viewing them in the console you can add that field as a column.
If you like it the powershell way =)
Get-SCOMAlert -ResolutionState 255 | Where-Object {$_.ResolvedBy -like "yourdomain*" -and $_.timeresolved -gt (get-date).adddays(-7)} | select name,resolvedby
We have a view in SCOM that shows all closed alerts with the ‘last modified by’ column turned on
On a slightly unrelated note, check this out:
https://noalertleftbehind.blog/2017/10/23/contextual-alert-reports-from-within-squared-up/
Add an Alert History perspective to every object in Squared Up?
1 Like
Nice! 
if i could give this more than one upvote i would… what a time saver