Archive

| `incident_review` time incident was assigned / closed

Path Finder

If I run the following search from 'incidentreview' I can establish certain fields, but I need to try and calculate exactly when it was an incident was either assigned or closed. The idea is for a dashboard for KPI means. The search gives me the time, and the statuslabel, but how would I work out when the status_label came into play.

| incident_review | fields time, owner, reviewer, ruleid, status_label, urgency

So to clarify, an incident came in at 09:00 and was assigned for investigation at 09:45. This could potentially breach an SLA / KPI of 30 minutes, but how would I establish what time it was assigned?

Appreciate any thoughts on this.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This isn't pretty and might need an additional time filter for the inputlookup where, but should work:

index=notable 
| `get_event_id` | eval rule_id=case(isnotnull(rule_id),rule_id,isnotnull(event_id),event_id,1=1,"unknown") 
| stats min(_time) as notable_time by rule_id
| inputlookup append=true incident_review_lookup where owner="*" OR status="5"
| eval assign_time = case(isnotnull(owner), time) | eval close_time = case(status=5, time)
| stats min(notable_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by rule_id
| eval assign_duration = case(isnull(notable_time), "notable not in time range", isnull(assign_time), "not assigned yet", true(), assign_time - notable_time)
| eval close_duration = case(isnull(notable_time), "notable not in time range", isnull(close_time), "not closed yet", true(), close_time - notable_time)

View solution in original post

SplunkTrust
SplunkTrust

This isn't pretty and might need an additional time filter for the inputlookup where, but should work:

index=notable 
| `get_event_id` | eval rule_id=case(isnotnull(rule_id),rule_id,isnotnull(event_id),event_id,1=1,"unknown") 
| stats min(_time) as notable_time by rule_id
| inputlookup append=true incident_review_lookup where owner="*" OR status="5"
| eval assign_time = case(isnotnull(owner), time) | eval close_time = case(status=5, time)
| stats min(notable_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by rule_id
| eval assign_duration = case(isnull(notable_time), "notable not in time range", isnull(assign_time), "not assigned yet", true(), assign_time - notable_time)
| eval close_duration = case(isnull(notable_time), "notable not in time range", isnull(close_time), "not closed yet", true(), close_time - notable_time)

View solution in original post

SplunkTrust
SplunkTrust

You can configure the List under Configure -> Incident Management -> Notable Event Statuses or run | inputlookup reviewstatuses_lookup.

There's also an id-less list in the docs: http://docs.splunk.com/Documentation/ES/4.6.0/User/NotableEvents#Managing_and_monitoring_notable_eve...

0 Karma

Path Finder

awesome. thanks again.

0 Karma

SplunkTrust
SplunkTrust

5 is the value for closed.

0 Karma

Path Finder

Is there a link to what the other status codes relate to? i.e. 5 = closed, 4 = .....

0 Karma

Path Finder

Thanks, much appreciated.

0 Karma

Path Finder

I tip my hat for the effort. Thanks.

whats the purpose of the status="5"?

0 Karma

SplunkTrust
SplunkTrust

You will have to provide more sample of your fields/data.

If you have some Incident ID you can correlate based on status_label. For example (assuming some of the field name and values just to explain... correct query can be formed only after looking at field names and data)

<Your Base Search>
| stats count as EventCount min(_time) as MinTime max(_time) as MaxTime values(status_label) as status_label last(owner) as CurrentOwner last(reviewer) as reviewer last(urgency) as CurrentUrgency by IncidentID

Then you can filter and evaluate further for Incidents created but not assigned using query like

| search status_label="created" AND status_label!="assigned"
| eval durationInSeconds=now()-Min_time
| search duration>1800
| eval _time=MinTime
| table _time IncidentID EventCount status_label CurrentOwner reviewer CurrentUrgency

You can create an alert for the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Im not sure thats possible as it's effectively calling the incident_review macro. So I believe the only fields that can be called are time, comment, owner, reviewer, ruleid, rulename, status, statusdefault, statusdescription, statusend, statusgroup, statuslabel, time and urgency.

The rule_id is unique so potentially could be joined in some way to a 'notable event' I guess?

0 Karma