Hi. I’m trying to write a script that will automatically un-acknowledge any alert that has been ack’d for more than 8 hours. It seems there is no direct way of getting the current duration since a service was acknowledged, so I’m trying to determine a way for me to calculate that base on various queries. One of the things I need to get is a list of acknowledged services. It looks to me like the entry_time column from the comments table is what I want to check to see when a service/host was acknowledged. Unfortunately, it either isn’t showing me the correct time or I’m not understanding the intention of this field.
Here’s what I get with one of my queries trying to determine the entry_time:
[root@dc01kg0066na mk-livestatus-1.2.2p1]# echo -e ‘GET comments\nFilter: entry_type = 2\nColumns: entry_time’ | nc 127.0.0.1 6557 | wc -l
764
[root@dc01kg0066na mk-livestatus-1.2.2p1]# echo -e ‘GET comments\nFilter: entry_type = 2\nColumns: entry_time’ | nc 127.0.0.1 6557 | sort | uniq
1368048393
1368048394
1368048395
1368048396
1368048398
[root@dc01kg0066na mk-livestatus-1.2.2p1]# date -d @1368048393
Wed May 8 16:26:33 CDT 2013
[root@dc01kg0066na mk-livestatus-1.2.2p1]# date
Wed May 8 16:49:52 CDT 2013
I know I currently have a LOT of akc’d alerts, so 764 total acknowledgements sounds realistic. Probably a little low actually. 
But, as you can see, of the 764 acknowledgements, there are only 5 uniq times and they are all within ~20 minutes. That is very wrong. I know I currently have acknowledgements that have been there for days, weeks, and even months.
Any guidance appreciated.
Thanks
John
