Splunk Search

| `incident_review` time incident was assigned / closed

jacqu3sy
Path Finder

If I run the following search from 'incident_review' I can establish certain fields, but I need to try and calculate exactly when it was an incident was either assigned or closed. The idea is for a dashboard for KPI means. The search gives me the time, and the status_label, but how would I work out when the status_label came into play.

| incident_review | fields _time, owner, reviewer, rule_id, status_label, urgency

So to clarify, an incident came in at 09:00 and was assigned for investigation at 09:45. This could potentially breach an SLA / KPI of 30 minutes, but how would I establish what time it was assigned?

Appreciate any thoughts on this.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

This isn't pretty and might need an additional time filter for the inputlookup where, but should work:

index=notable 
| `get_event_id` | eval rule_id=case(isnotnull(rule_id),rule_id,isnotnull(event_id),event_id,1=1,"unknown") 
| stats min(_time) as notable_time by rule_id
| inputlookup append=true incident_review_lookup where owner="*" OR status="5"
| eval assign_time = case(isnotnull(owner), time) | eval close_time = case(status=5, time)
| stats min(notable_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by rule_id
| eval assign_duration = case(isnull(notable_time), "notable not in time range", isnull(assign_time), "not assigned yet", true(), assign_time - notable_time)
| eval close_duration = case(isnull(notable_time), "notable not in time range", isnull(close_time), "not closed yet", true(), close_time - notable_time)

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

This isn't pretty and might need an additional time filter for the inputlookup where, but should work:

index=notable 
| `get_event_id` | eval rule_id=case(isnotnull(rule_id),rule_id,isnotnull(event_id),event_id,1=1,"unknown") 
| stats min(_time) as notable_time by rule_id
| inputlookup append=true incident_review_lookup where owner="*" OR status="5"
| eval assign_time = case(isnotnull(owner), time) | eval close_time = case(status=5, time)
| stats min(notable_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by rule_id
| eval assign_duration = case(isnull(notable_time), "notable not in time range", isnull(assign_time), "not assigned yet", true(), assign_time - notable_time)
| eval close_duration = case(isnull(notable_time), "notable not in time range", isnull(close_time), "not closed yet", true(), close_time - notable_time)

martin_mueller
SplunkTrust
SplunkTrust

You can configure the List under Configure -> Incident Management -> Notable Event Statuses or run | inputlookup reviewstatuses_lookup.

There's also an id-less list in the docs: http://docs.splunk.com/Documentation/ES/4.6.0/User/NotableEvents#Managing_and_monitoring_notable_eve...

0 Karma

jacqu3sy
Path Finder

awesome. thanks again.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

5 is the value for closed.

0 Karma

jacqu3sy
Path Finder

Is there a link to what the other status codes relate to? i.e. 5 = closed, 4 = .....

0 Karma

jacqu3sy
Path Finder

Thanks, much appreciated.

0 Karma

jacqu3sy
Path Finder

I tip my hat for the effort. Thanks.

whats the purpose of the status="5"?

0 Karma

niketn
Legend

You will have to provide more sample of your fields/data.

If you have some Incident ID you can correlate based on status_label. For example (assuming some of the field name and values just to explain... correct query can be formed only after looking at field names and data)

<Your Base Search>
| stats count as EventCount min(_time) as MinTime max(_time) as MaxTime values(status_label) as status_label last(owner) as CurrentOwner last(reviewer) as reviewer last(urgency) as CurrentUrgency by IncidentID

Then you can filter and evaluate further for Incidents created but not assigned using query like

| search status_label="created" AND status_label!="assigned"
| eval durationInSeconds=now()-Min_time
| search duration>1800
| eval _time=MinTime
| table _time IncidentID EventCount status_label CurrentOwner reviewer CurrentUrgency

You can create an alert for the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jacqu3sy
Path Finder

Im not sure thats possible as it's effectively calling the incident_review macro. So I believe the only fields that can be called are _time, comment, owner, reviewer, rule_id, rule_name, status, status_default, status_description, status_end, status_group, status_label, time and urgency.

The rule_id is unique so potentially could be joined in some way to a 'notable event' I guess?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...