How can I exclude a specific recurring time range ...

qbolbk59 · ‎10-06-2017

Hi all,

I need to create a dashboard which can provide me the total review time taken by the analyst. I have created the following query:

| datamodel Incident_Management Notable_Events search | stats earliest(_time) as _time by rule_id  | `drop_dm_object_name("Notable_Events")`| `get_correlations` | join rule_id [| datamodel Incident_Management Incident_Review search  | stats earliest(_time) as reviewtime by Incident_Review.rule_id,Incident_Review.reviewer_realname| `drop_dm_object_name("Incident_Review")`] | eval tot=reviewtime-_time | stats count,avg(tot) as avg_tot,max(tot) as max_tot ,min(tot) as min_tot by reviewer_realname | sort - avg_tot | `uptime2string(avg_tot, avg_tot)` | `uptime2string(max_tot, max_tot)` | `uptime2string(min_tot, min_tot)` |rename *_tot* as *_time_to_review* | fields - *_dec

This is working fine and giving me results close to my expectations. However i don't need to include the off-business hours in the review time. For e.g., if i acknowledged and alert today and i closed it tomorrow, the total review time should not have the Off-business hour time (possibly 8-10 hours) and it should get subtracted.

Can anybody help me here on this issue ?

DalJeanis · ‎10-10-2017

If you absolutely never have a situation where an analyst works on a ticket for more than one work day... i.e., never count more than the work hours during the first and second day :

 | eval daydiff= floor(reviewtime/86400) - floor(_time/86400)
 | eval tot = case(daydiff<=0, reviewtime - _time,
                   daydiff=1, reviewtime - _time - 16*3600,
                   daydiff>1, reviewtime - _time + 8* 3600 - daydiff*86400)

On the other hand, if you want to count all 9-5 hours regardless of weekday or weekend, use this:

 | eval daydiff= floor(reviewtime/86400) - floor(_time/86400)
 | eval tot = case(daydiff<=0, reviewtime - _time,
                   daydiff>=1, reviewtime - _time - daydiff*16*3600)

And, if you want to count off for weekends, but not for weekdays, then there will be some complicated logic that I can't rattle off without checking the time functions.

qbolbk59 · ‎10-15-2017

Hi @DalJeanis

Thanks for helping. The normal working hours is 12 hours a day and 7 days a week. so if an alert was triggered today and it got closed tomorrow, i need to remove the 12 off business hours from the total time taken. similarly if it got closed after two days, i need to remove 24 hours (2*12) and so on. I used the logic provided by you and modified it a bit and now have used the below query and it seems that now it's rendering me exact results.

| datamodel Incident_Management Notable_Events search | stats earliest(_time) as _time by rule_id | `get_correlations` | join rule_id [| datamodel Incident_Management Incident_Review search  | stats earliest(_time) as reviewtime by Incident_Review.rule_id,reviewer_realname | `drop_dm_object_name("Incident_Review")`] | eval tot=reviewtime-_time |eval tot1=round(tot/86400) | eval tot2=(tot-(tot1*43200)) |stats count,avg(tot2) as avg_tot,max(tot2) as max_tot ,min(tot2) as min_tot by reviewer_realname | sort - avg_tot | `uptime2string(avg_tot, avg_tot)` | `uptime2string(max_tot, max_tot)` | `uptime2string(min_tot, min_tot)` |rename *_tot* as *_time_to_review* | fields - *_dec

qbolbk59 · ‎10-15-2017

It's not exact result, but close to the expectations. Needs more tweaking.

Sukisen1981 · ‎10-08-2017

this is an interesting problem...just to be clear-
eval tot=reviewtime-_time
review time is like a start time and the _time is like an end time for each ticket?
basically, you already have for each event the reviewtime like say
event reviewtime(start time) is 10:00 am on a monday
and the
_time (end time) is like say 10:00 AM on Wednesday?
so assuming an 8 hr work day 8:00 - 16:00
your eval tot should be 6 hrs (mon) + 8 hrs(tue) + 2 hrs(wed)= 16?

How can I exclude a specific recurring time range from my search?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2