Dashboards & Visualizations

Ignoring the time range for certain results

Moreilly97
Path Finder

I have a number of tickets with TicketState : New, In Progress, Closed and Resolved depending on the tickets current state. They also have a short descriptor that involves a short summary of the problem as well as an identifier eg XX23XX2

What im doing is checking if the identifier in ShortDescriptor changes during the life span of the ticket, eg: If the ticket came into state New with a descriptor of XX2X , did the ticket get Resolved with the same descriptor.
I use eventstats to find the earliest ShortDescriptor and latest ShortDescriptor and then compare them.

I have this working and I was happy with it, however, I found a problem with the time range. If I have it set to 30 days, and some tickets were created more than 30 days ago with a different ShortDescriptor than it is 30 days ago, then my eventstats will only use the result from 30 days ago as opposed to its earliest value.

Just wondering if there was a way to get all the tickets within 30 days, and if its earliest state is not New then it will search further back just for those tickets.

Any help is appreciated, thanks.

0 Karma
1 Solution

Moreilly97
Path Finder

Thanks for the suggestions , but due to time constraints I have decided to only include tickets that were created in the time range. This may not get me the most informative results but it is enough for now.

Thanks again!

View solution in original post

0 Karma

Moreilly97
Path Finder

Thanks for the suggestions , but due to time constraints I have decided to only include tickets that were created in the time range. This may not get me the most informative results but it is enough for now.

Thanks again!

0 Karma

elliotproebstel
Champion

Yes, it's possible to engineer a search to do what you're asking - search first for all the tickets observed in the last 30 days, find all their states, and then extend your search backwards for events whose creation was not found in the original time range. Possible to do, but unlikely to be the best approach.

To help you brainstorm the actual best approach, can you define your goal? If you wanted to list the state of all tickets that were opened in the last 30 days, then searching back 30 days would suffice, because every state a ticket had been in would be contained in that window. But obviously that's not the case, so maybe you're searching for the history of all tickets that were closed in the last 30 days? That's a pretty different beast, since a ticket might have been opened 31 days ago or maybe 180 days ago, depending on the SLA for your tickets.

If you can define your goal and describe any real-world limitations (e.g. "No ticket is allowed to exist in an open state for more than 45 days"), then I'm happy to help craft an appropriate search.

tiagofbmm
Influencer

Hello

Eventstats maintains the same number of events that you have, and there are actually limits on it:

Can you check the reason that is happening is not due to overpassing limits?

https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Eventstats

In the limits.conf file, the max_mem_usage_mb setting in the [default] stanza is used to limit how much memory the stats and eventstats commands use to keep track of information. If the eventstats command reaches this limit, the command stops adding the requested fields to the search results. You can increase the limit, contingent on the available system memory.

Additionally, the maxresultrows setting in the [searchresults] stanza specifies the maximum number of results to return. The default value is 50,000. Increasing this limit can result in more memory usage.
0 Karma

Moreilly97
Path Finder

Hi, thanks for the reply.
Its not a problem with limits, its a problem with the time range and how far back eventstats should actually go.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...