Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the time between the notable event state changes?

ajaynyay
New Member
‎05-19-2020 12:17 PM

I am trying to figure out a way to calculate the time for:

  1. Time taken for a reviewer to assign the notable ticket from the creation time.
  2. Time taken for the notable in progress till close.

notable|search NOT suppression

|eval _time=strftime(_time,"%Y/%m/%d %T")
|eval review_time=strftime(review_time,"%Y/%m/%d %T")
|eval assign_time = case(isnotnull(owner), _time) | eval close_time = case(status=5, review_time)
|stats min(_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by AlertTitle,owner

This is giving me notable created time and closed time, but not the state change time.

Labels (1)
Labels
0 Karma
Reply

ajaynyay
New Member
‎05-19-2020 01:28 PM

Thank you for that.

The issue I see is that every time the notable incident state changes "review_time" is the only field that changes time. So, if I want to calculate the time from creation-->assignment and assignment-->closure its not giving me correct results.

For example, if I assign the notable today, the review_time field changes time, but if I close the same notable after sometime, it again updates the review_time field only. So, there is no good way of calculating time taken for old notables which are already closed or still open when the state changes later, unless I am missing something.

0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 04:16 PM

use range()

reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats

0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 12:53 PM

|eval _time=strftime(_time,"%Y/%m/%d %T")
This is wrong.
If you change epoch time to strings ,you can't aggregate times. Keep them stay.

 | eval assign_time = case(isnotnull(owner), _time) | eval close_time = case(status=5, review_time)
 | stats min(_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by AlertTitle,owner
 | eval state_change_time=your calculation
 | convert timeformat="%Y/%m/%d %T" ctime(notable_time) ctime(assign_time) ctime(close_time)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...