topic Re: Define: Time to Triage in Splunk Search

How does Splunk calculate Time to Triage?

-Chris- — Wed, 01 Jun 2022 15:26:22 GMT

How does Splunk calculate Time to Triage, what data does it use? e.g. time an event occurred and time the event was put modified or put in pending etc.?

Re: Define: Time to Triage

gcusello — Wed, 01 Jun 2022 10:52:04 GMT

Hi @-Chris-,

it isn't so clear for me what you mean with "Time to triage"

if you mean the time that Splunk need to index a log, it's very low and depends on the time requested to transfer data from Universal Forwarder to Indexer, then it depends on the queue that you can monitor using the Monitor Console.

It's possible to modify data only before indexing, during the parsing phase, after data are uneditable, and they are pending only if there are queues that you can see using the Monitor Console.

Ciao.

Giuseppe

Re: Define: Time to Triage

-Chris- — Thu, 02 Jun 2022 03:06:07 GMT

Example: https://community.splunk.com/t5/Splunk-Search/Mean-Time-To-Triage/m-p/568484

This is specifically related to Splunk ES and Notable Events (NE). We assume that TTT is the time that an NE fires how long until it is next modified, e.g. the status is changed. We want to confirm this.

Re: Define: Time to Triage

-Chris- — Thu, 02 Jun 2022 03:41:46 GMT

More investigation looks like it uses a field called "duration"? But we can't see how it is calculated or what process steps influence the duration. i.e update timestamps.