topic Re: Do not display certain elements of a search? in Splunk Search

Do not display certain elements of a search?

Rajaion — Tue, 04 Oct 2022 13:37:23 GMT

Hello community,

I am having a problem with a dashboard that I am setting up based on Splunk OnCall data, in order to see the acknowledgment and resolution times for alerts.

In order to see the resolution period of my alerts, I made a dashboard that shows me the right information:

However, I sometimes have lines with two users displayed, and no more dates:

Looking at the alert in detail, I see that the item I retrieve contains two pieces of information:
One for the user who acknowledged the alert, and one for the resolution, always done by the "SYSTEM" user:

In the construction of my research, I cannot "impose" to keep only the "SYSTEM" user when I display the resolved alerts (in the context of acknowledged alerts, it is simpler because I filter the states ACKED upstream):

index="oncall_prod" routingKey=* | search currentPhase=RESOLVED | dedup incidentNumber | rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident | eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") | eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ") | eval temps_ack = tostring((ack_time - create_time), "duration") | eval create_time=((create_time)+7200) | eval ack_time=((ack_time)+7200) | eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ") | eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ") | eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ") | rename temps_ack as Temps_Traitement | table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

Do you have any idea what changes I need to make to successfully see only the user linked to the resolution? I'm sure it's a stupid thing but I can't quite put my finger on it.

Best regards,

Rajaion

Re: Do not display certain elements of a search?

gcusello — Tue, 04 Oct 2022 16:06:53 GMT

Hi @Rajaion,

let me understand:

you sometimes have in the user name two values "system" and another one in the same event.

Now you want to take only the values "SYSTEM", is it correct?

if this is your requirement, you could add mvexpand utilisateur and filter for this field, please try someting like this:

index="oncall_prod" routingKey=* | search currentPhase=RESOLVED | dedup incidentNumber | rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident | eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") | eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ") | eval temps_ack = tostring((ack_time - create_time), "duration") | eval create_time=((create_time)+7200) | eval ack_time=((ack_time)+7200) | eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ") | eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ") | eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ") | rename temps_ack as Temps_Traitement | mvexpand Utilisateur | search Utilisateur=SYSTEM | table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

Ciao.

Giuseppe

Re: Do not display certain elements of a search?

johnhuang — Tue, 04 Oct 2022 16:50:21 GMT

Looks like you're dealing with multivalue fields and you wanted to extract the first value of 'transitions{}.at' and the last value of 'transitions{}.by'.

See below in RED:

index="oncall_prod" routingKey=*
| search currentPhase=RESOLVED
| dedup incidentNumber
| rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident
| eval ack=MVINDEX(ack, 0)
| eval Utilisateur=MVINDEX(Utilisateur, -1)
| eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ")
| eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ")
| eval temps_ack = tostring((ack_time - create_time), "duration")
| eval create_time=((create_time)+7200)
| eval ack_time=((ack_time)+7200)
| eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ")
| eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ")
| eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ")
| rename temps_ack as Temps_Traitement
| table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

Re: Do not display certain elements of a search?

Rajaion — Wed, 05 Oct 2022 12:12:29 GMT

Hi @johnhuang,

I just tested your solution and it is almost perfect, I just adjusted the MVINDEX (which I discover as a function, I learn about it every day) so that in addition to taking the user to -1, it takes also the closing time at -1. My command looks like:
index="oncall_prod" routingKey=*
| search currentPhase=RESOLVED
| dedup incidentNumber
| rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident
| eval ack=MVINDEX(ack, -1)
| eval Utilisateur=MVINDEX(Utilisateur, -1)
| eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ")
| eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ")
| eval temps_ack = tostring((ack_time - create_time), "duration")
| eval create_time=((create_time)+7200)
| eval ack_time=((ack_time)+7200)
| eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ")
| eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ")
| eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ")
| rename temps_ack as Temps_Traitement
| table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

And it does not impact when I switch my same request with ACKED (instead of RESOLVED). Thank you for your help.

Best regards,

Rajaion

Re: Do not display certain elements of a search?

Rajaion — Wed, 05 Oct 2022 12:18:32 GMT

Hi @gcusello ,

Thanks for your solution. I tested it but I end up with a problem, it is that I do not see the dates, I have the impression that it just removes the other name to keep only SYSTEM, which is good in itself but does not take into account the solving time and the calculation that goes behind it:

With the other solution, I manage to recover the processing time. However, I keep your solution that I will apply to other of my dashboards.

Best regards,

Re: Do not display certain elements of a search?

johnhuang — Wed, 05 Oct 2022 13:39:21 GMT

"| eval ack=MVINDEX(ack, -1)" gives you the last value of the multivalue field which in this case is the system resolved time.

If the multivalue field consistently contains 2 values, you can use MVINDEX(ack, 0) to get the first value and MVINDEX(ack, 1) to extract the second (or last) value. However in cases where the number of values are unknown or inconsistent and you want to extract the last value, then using MVINDEX(ack, -1) does the trick.

Re: Do not display certain elements of a search?

Rajaion — Wed, 05 Oct 2022 13:45:35 GMT

Thanks for the precision. In my case, the last value will necessarily be that of the resolution (and the only other, that of the potential acknowledgment) so it fits exactly in my case. But I take good note of the function of "MVINDEX" for other needs.

Rajaion