topic Re: Lookup in Splunk Enterprise

How can I capture in the below format?

sidtalup27 — Mon, 05 Dec 2022 16:40:50 GMT

Hello,

We are trying to build a dashboard for Incident SLA compliance.
The data is ingested from JIRA. Tickets are created in JIRA, and Splunk retrieves the information frequently. At this point in time, the concerned fields for me are the Ticket Number and Creation Time. However, when an existing Ticket in JIRA is updated, the new values in Splunk are updated on the existing values. Hence, I lose the previously captured, in this case, I miss out on Creation time, and the same field is updated with New Time. How can I capture in the below format? Please advise.

Ticket Number, Creation Time, Updated Time.

--
Thanks,
Siddarth

Re: Lookup

gcusello — Mon, 05 Dec 2022 14:23:10 GMT

Hi @sidtalup27,

don't use a lookup to save data extracted from Jira, but a summary index so you have also the timestamp information.

Ciao.

Giuseppe

Re: Lookup

sidtalup27 — Mon, 05 Dec 2022 14:37:01 GMT

@gcusello, can you please elaborate? My objective is to create a table of events for a key field, considering INDEX and SOURCETYPE are same.

Re: Lookup

gcusello — Mon, 05 Dec 2022 16:05:23 GMT

Hi @sidtalup27,

I don't know how you collect Jira data, anyway, instead saving them in a lookup save them in a summary index using the collect command so you'll have progressive events with timestamp, the correlation key and the status, so you can display these indormation in a table.

I cannot be more precise because I don't know how you populate the lookup.

Ciao.

Giuseppe