topic Re: Mean Time To Triage in Splunk Search

Mean Time To Triage

ymalm188 — Sun, 26 Sep 2021 13:50:58 GMT

i have this spl

it should display the mean time to triage for 14 days but it doesn't work for 14 days and works for 30 days.

any advise ?

Re: Mean Time To Triage

bowesmana — Mon, 27 Sep 2021 00:48:51 GMT

What is the time window of your search?

Re: Mean Time To Triage

ymalm188 — Wed, 29 Sep 2021 06:07:24 GMT

14 days

Re: Mean Time To Triage

bowesmana — Wed, 29 Sep 2021 07:57:47 GMT

The query seems to be getting time in the join statements. If you run just this part of the query - what time range of data do you get back?

Re: Mean Time To Triage

ymalm188 — Wed, 29 Sep 2021 12:19:10 GMT

it returned data for any time range i specify, especially 14 days that's what i want it returned data too so i think the problem with joining.

Re: Mean Time To Triage

bowesmana — Wed, 29 Sep 2021 22:10:40 GMT

Yes, - the join is doing calculations with time taken from the lookup for each rule_id. It appears to be calculating review times based on those items found in the 14 day search and then looking for amount of time taken to review (ttt=review_time-_time).

It would seem that is the intention of the search, that you will see data going back more than the search window, as it appears that it is looking for activity in the last 14 days and then trying to find data about how long the incident has taken to review, which of course will have to look back to when the rule was originally triggered.

So, is there actually a problem?

Re: Mean Time To Triage

ymalm188 — Sun, 03 Oct 2021 08:43:43 GMT

yes, your description is totally right so why i can't find any results for the last 14 days although there are actual data in these 14 days ? it was working before and suddenly stopped working.

Re: Mean Time To Triage

bowesmana — Mon, 04 Oct 2021 22:46:43 GMT

So, if I understand you correctly, you get results from the first part of the search over 14 days without the join, but you are now saying that the full search over 14 days returns no resuts?

The search is 3 parts

The base tstats from datamodel
The join statement
Aggregations based on information from 1 and 2

So, run the second part of the search

| from inputlookup:incident_review_lookup | eval _time=time | stats earliest(_time) as review_time by rule_id

Then if that gives you data and you KNOW that there is a rule_id that is common to both parts 1 and 2, then it is the 3rd part of the search that is does not have the right fields available.

The way for you to diagnose this is to gradually build up the search, adding each PIPE section to the search to understand what is causing the data to disappear.

Re: Mean Time To Triage

ymalm188 — Wed, 06 Oct 2021 12:59:56 GMT

when i run the first part i got result and also for the second part but when i run them together i got no data

like that:

i think there is a problem in the join

Re: Mean Time To Triage

bowesmana — Wed, 06 Oct 2021 21:21:20 GMT

So if part 1 and part 2 are successful in their own right, then the issue is either

the field rule_id is not in the first data set
the field rule_id is not in the incident_review_lookup lookup
there are no common instances of rule_id in both data sets