Solved: Add-on for JIRA: Suggestions for setting date in J...

Shark2112 · ‎11-01-2016

Hey everyone.

I'm connect my Splunk to Jira server via REST API and make search:
| jirarest jqlsearch "" | sort -_time | table _time
_time
2016-11-01 09:31:00
2016-10-31 10:20:03
2016-10-31 09:47:29
..............

but i can't use time preset - even i set "last 15 minutes" he show all same rows:
_time
2016-11-01 09:31:00
2016-10-31 10:20:03
2016-10-31 09:47:29
..............

Setting "earliest" and "latest" in search:
| jirarest jqlsearch ""
| sort -_time
| table _time
| search earliest=-2d
No results found.

Also i tried make sourcetype with custom timestamp, but it doesn't help.

Any ideas?

Flynt · ‎11-01-2016

One thing to remember is that the Jira add-on is a live connection to the Atlassian Jira API. As such, the events are not bound by Splunk's time parameters but rather the parameters you specify in your JQL search. For instance, to find all Jiras on or after 10/30/2016 you would use createdDate>='2016-10-30' as part of your jql search.

Let's say I wanted just the key and description for all records on or after 10/30/2016, I would query this way -

|jira jqlsearch "createdDate>='2016-10-30'" fields "key,description"

Since we are calling the API, all valid JQL time parameters are valid -

Valid formats include: 'yyyy/MM/dd HH:mm', 'yyyy-MM-dd HH:mm', 'yyyy/MM/dd', 'yyyy-MM-dd', or a period format e.g. '-5d', '4w 2d'.

Notice I added the fields option, by default the command will bring back every field available, if you want faster searches, give the command only the fields you want to see.

View solution in original post

Flynt · ‎11-01-2016

One thing to remember is that the Jira add-on is a live connection to the Atlassian Jira API. As such, the events are not bound by Splunk's time parameters but rather the parameters you specify in your JQL search. For instance, to find all Jiras on or after 10/30/2016 you would use createdDate>='2016-10-30' as part of your jql search.

Let's say I wanted just the key and description for all records on or after 10/30/2016, I would query this way -

|jira jqlsearch "createdDate>='2016-10-30'" fields "key,description"

Since we are calling the API, all valid JQL time parameters are valid -

Valid formats include: 'yyyy/MM/dd HH:mm', 'yyyy-MM-dd HH:mm', 'yyyy/MM/dd', 'yyyy-MM-dd', or a period format e.g. '-5d', '4w 2d'.

Notice I added the fields option, by default the command will bring back every field available, if you want faster searches, give the command only the fields you want to see.

Shark2112 · ‎11-01-2016

Thank you for answer. You right about live requests so i think how to move data to index (i want user-friendly dashboard with standard time select). Now i try to export in CSV every 1 minute "| jirarest jqlsearch "updated >= -10m" but in this case every event from response is cloning, because file full overwrite every time.

Flynt · ‎11-01-2016

Indexing in this manner introduces some complexity as you WILL have duplication of events due to running over the same keys again in JIRA (one of the reasons I use the live connection more than anything else). My suggestion would be either schedule a search to populate a lookup for the desired items and use the lookup to run your dashboard (make things quicker) or a combination of deduping with the export.

Using the time picker without manipulation will most likely not be an option (this holds true for other things in Splunk see here - https://answers.splunk.com/answers/100326/time-range-options-in-correlation-search.html).

Shark2112 · ‎11-07-2016

I'm made search with subsearches for adding new events

Add-on for JIRA: Suggestions for setting date in JIRA rest

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?