Splunk Enterprise

How can I capture in the below format?

sidtalup27
Explorer

Hello,

We are trying to build a dashboard for Incident SLA compliance.
The data is ingested from JIRA. Tickets are created in JIRA, and Splunk retrieves the information frequently. At this point in time, the concerned fields for me are the Ticket Number and Creation Time. However, when an existing Ticket in JIRA is updated, the new values in Splunk are updated on the existing values. Hence, I lose the previously captured, in this case, I miss out on Creation time, and the same field is updated with New Time. How can I capture in the below format? Please advise.

Ticket Number, Creation Time, Updated Time.

--
Thanks,
Siddarth

Labels (1)
0 Karma

sidtalup27
Explorer

@gcusello, can you please elaborate? My objective is to create a table of events for a key field, considering INDEX and SOURCETYPE are same.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sidtalup27,

I don't know how you collect Jira data, anyway, instead saving them in a lookup save them in a summary index using the collect command so you'll have progressive events with timestamp, the correlation key and the status, so you can display these indormation in a table.

I cannot be more precise because I don't know how you populate the lookup.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sidtalup27,

don't use a lookup to save data extracted from Jira, but a summary index so you have also the timestamp information.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...