Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Notables for Open and Closure Times

splunkeradmin22
New Member
‎07-09-2021 01:25 PM

Hi Everyone,

I am trying to write a query that will allow me to use my notable_events table, display the time the notable opened and the time it was closed.

Looking through the forums I found:

|eval _time=strftime(_time,"%Y/%m/%d %T")
|eval review_time=strftime(review_time,"%Y/%m/%d %T")
|eval assign_time = case(isnotnull(owner), _time) | eval close_time = case(status=5, review_time)
|stats min(_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by AlertTitle,owner

 But that isn't quite working as it returns 0 results.

Labels (1)
Labels
0 Karma
Reply

efika
Communicator
‎07-16-2021 11:51 AM

Hi @splunkeradmin22 ,

Have a look at the below macro:

|`incident_review`
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...