Hello, In ES when we run the following macro for Last 30 mins or Last 24 H time range, splunk ends up displaying results from all the way back in time as in last 6 months data as well. Why is that so ? Its as if its completely ignores the date/time range whatever we specify. BTW, This is Out of the box macro.
|`incident_review`
| table _time owner rule_id rule_name status_label
My requirement is to show the Notables triggered based on the date range we select.
Secondly, does anyone know how to show Number of Incidents (Notable alerts) worked on by each SOC analyst ? Basically i m trying to generate performance metrics of each analyst, how many alerts they worked on, time to close each alert etc, details of each status change etc. The default provided SOC operations dashboard sucks.
I added some fields at the end of the table to show the day, hour and year. You can make more using the time variables here:
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Commontimeformatvariables
| inputlookup append=T incident_review_lookup
| rename user as reviewer
| lookup update=true user_realnames_lookup user as "owner" OUTPUTNEW realname as "owner_realname"
| eval "owner_realname"=if(isnull('owner_realname'),'owner','owner_realname')
| lookup update=true user_realnames_lookup user as "reviewer" OUTPUTNEW realname as "reviewer_realname"
| eval "reviewer_realname"=if(isnull('reviewer_realname'),'reviewer','reviewer_realname')
| eval nullstatus=if(isnull(status),"true","false")
| eval temp_status=if(isnull(status),-1,status)
| lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end
| eval status=if(isnull(status_label),0,status),status_label=if(isnull(status_label),"Unassigned",status_label),status_description=if(isnull(status_description),"unknown",status_description),"status_default"=case(match('status_default', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_default', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_default'),"status_end"=case(match('status_end', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_end', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_end'),status_group=case(status_default=="true","New",status_end=="true","Closed",status=0,"New",1=1,"Open")
| fields - temp_status
| eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status)
| eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label)
| eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description)
| eval _time=time
| fields - nullstatus
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval eventDay=strftime(_time,"%A")
| eval eventYear=strftime(_time,"%Y")
| table _time owner rule_id rule_name status_label eventHour eventDay eventMin eventYear
Thanks a lot. Appreciate it
To your second question, have you tried the Incident Review Audit report on the Audit menu?
en-US/app/SplunkEnterpriseSecuritySuite/incident_review_audit
I added some fields at the end of the table to show the day, hour and year. You can make more using the time variables here:
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Commontimeformatvariables
| inputlookup append=T incident_review_lookup
| rename user as reviewer
| lookup update=true user_realnames_lookup user as "owner" OUTPUTNEW realname as "owner_realname"
| eval "owner_realname"=if(isnull('owner_realname'),'owner','owner_realname')
| lookup update=true user_realnames_lookup user as "reviewer" OUTPUTNEW realname as "reviewer_realname"
| eval "reviewer_realname"=if(isnull('reviewer_realname'),'reviewer','reviewer_realname')
| eval nullstatus=if(isnull(status),"true","false")
| eval temp_status=if(isnull(status),-1,status)
| lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end
| eval status=if(isnull(status_label),0,status),status_label=if(isnull(status_label),"Unassigned",status_label),status_description=if(isnull(status_description),"unknown",status_description),"status_default"=case(match('status_default', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_default', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_default'),"status_end"=case(match('status_end', "1|[Tt]|[Tt][Rr][Uu][Ee]"),"true",match('status_end', "0|[Ff]|[Ff][Aa][Ll][Ss][Ee]"),"false",1=1,'status_end'),status_group=case(status_default=="true","New",status_end=="true","Closed",status=0,"New",1=1,"Open")
| fields - temp_status
| eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status)
| eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label)
| eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description)
| eval _time=time
| fields - nullstatus
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval eventDay=strftime(_time,"%A")
| eval eventYear=strftime(_time,"%Y")
| table _time owner rule_id rule_name status_label eventHour eventDay eventMin eventYear
If you press CTRL SHIFT E on that search you will see the macro fully expanded.
It's just a bunch of lookups, and the timerange picker only works on _time.
Notice at the end of the search there is an eval for time?
| eval _time=time
You can use that with some tokens on a dashboard or manually add filters to the search for _time.
Does that help?
Hi, i have marked your search as Solution but i am noticing that even if i run it with a Time range of last 24h, it still ends up dumping out everything. It does not show me the data specific to whatever date filter i have selected. I misunderstood then. How am i supposed to pass on the time filter to this macro if there is |eval _time=time at the bottom ?
What are you trying to do with this macro?
The Incident Review dashboard in ES will let you use the time range picker to filter notable events. Plus you could setup a time range and other conditoin like status=resolved and save it as a filter.
/en-US/app/SplunkEnterpriseSecuritySuite/incident_review