Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search Notables for Open and Closure Times

splunkeradmin22
New Member
‎07-09-2021 01:25 PM

Hi Everyone,

I am trying to write a query that will allow me to use my notable_events table, display the time the notable opened and the time it was closed.

Looking through the forums I found:

|eval _time=strftime(_time,"%Y/%m/%d %T")
|eval review_time=strftime(review_time,"%Y/%m/%d %T")
|eval assign_time = case(isnotnull(owner), _time) | eval close_time = case(status=5, review_time)
|stats min(_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by AlertTitle,owner

 But that isn't quite working as it returns 0 results.

Labels (1)
Labels
0 Karma
Reply

efika
Communicator
‎07-16-2021 11:51 AM

Hi @splunkeradmin22 ,

Have a look at the below macro:

|`incident_review`
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...