Splunk IT Service Intelligence

How to Filter Episode Review statistics to current user?

srauhala_splunk
Splunk Employee
Splunk Employee

Related to ITSIID-I-326 

"ITSI's Episode Review shows several KPI’s such as MTTR, Episodes by Severity, Total Noise Reduction etc. which are made up by all episodes in ITSI. It would be great if this view was customisable so that every ITSI user only sees the KPI’s for the episodes that this user is taking care of. For example, if there are several people using ITSI - an analyst would only see MTTR or Episodes by Severity for the episodes that he or she is working on." 

The dashboard in Episode Review can be customised to display different visualisation,  tables and search results. 

As a proof of concept I created a similar dashbord to the original that is delivered for Episode review, but added search filters to the current logged in user. 

 

 

 

{
    "dataSources": {
        "mttrSearch": {
            "options": {
                "query": "| tstats earliest(_time) as t1 where `itsi_notable_audit_index` activity=\"*resolved*\" [| rest /services/authentication/current-context splunk_server=local \n    | eval user = username \n    | fields user \n    | format] by event_id \n| append \n    [| tstats earliest(itsi_first_event_time) as t2 where `itsi_event_management_group_index` by itsi_group_id] \n| eval match_id=coalesce(event_id,itsi_group_id) \n| stats values(*) AS * by match_id \n| search event_id=* itsi_group_id=* \n| eval diff=t1-t2 \n| stats avg(diff) as t3 \n| eval avgDuration = round(t3/60,0) \n| fields - t3",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search",
            "name": "mttr"
        },
        "episodesBySeveritySearch": {
            "options": {
                "query": "| tstats count where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=* by itsi_group_id \n| lookup itsi_notable_group_user_lookup _key AS itsi_group_id OUTPUT owner severity status instruction \n| search [| rest /services/authentication/current-context splunk_server=local \n    | eval owner = username \n    | fields owner \n    | format]\n| lookup itsi_notable_group_system_lookup _key AS itsi_group_id OUTPUT title description start_time last_time is_active event_count \n| stats count as \"Count\" by severity \n| sort - severity \n| eval severity=case(severity=1,\"Information\",severity=2,\"Normal\",severity=3,\"Low\",severity=4,\"Medium\",severity=5,\"High\",severity=6,\"Critical\") \n| rename severity as \"Severity\"",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search",
            "name": "ebs"
        },
        "noiseReductionSearch": {
            "options": {
                "query": "| rest /services/authentication/current-context splunk_server=local \n    | eval user = username \n    | table user, roles",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search",
            "name": "CU"
        },
        "percentAckSearch": {
            "options": {
                "query": "| tstats count as Acknowledged where index=itsi_notable_audit activity=*acknowledged* \n    [| rest /services/authentication/current-context splunk_server=local \n    | eval user = username \n    | fields user \n    | format] \n| appendcols \n    [| tstats dc(itsi_group_id) as total where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=*] \n| eval acknowledgedPercent=(Acknowledged/total)*100 \n| table acknowledgedPercent",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search",
            "name": "EACK"
        },
        "mttaSearch": {
            "options": {
                "query": "| tstats earliest(_time) as t1 where index=itsi_notable_audit activity=\"*acknowledged*\" \n    [| rest /services/authentication/current-context splunk_server=local \n    | eval user = username \n    | fields user \n    | format] by event_id \n| append \n    [| tstats earliest(itsi_first_event_time) as t2 where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=* by itsi_group_id] \n| eval match_id=coalesce(event_id,itsi_group_id) \n| stats values(*) AS * by match_id \n| search event_id=* itsi_group_id=* \n| eval diff=t1-t2 \n| stats avg(diff) as t3 \n| eval avgDuration = round(t3/60,0) \n| fields - t3",
                "queryParameters": {
                    "earliest": "$earliest_time$",
                    "latest": "$latest_time$"
                }
            },
            "type": "ds.search",
            "name": "MTTA"
        }
    },
    "visualizations": {
        "mttr": {
            "title": "Mean Time to Resolve for Current User",
            "type": "splunk.singlevalue",
            "options": {
                "backgroundColor": "#ffffff",
                "sparklineDisplay": "off",
                "trendDisplay": "off",
                "trendValue": 0,
                "unit": "minutes"
            },
            "dataSources": {
                "primary": "mttrSearch"
            }
        },
        "episodesBySeverity": {
            "title": "Episodes by Severity for Current User",
            "type": "splunk.bar",
            "options": {
                "backgroundColor": "#ffffff",
                "barSpacing": 5,
                "dataValuesDisplay": "all",
                "legendDisplay": "off",
                "showYMajorGridLines": false,
                "yAxisLabelVisibility": "hide",
                "xAxisMajorTickVisibility": "hide",
                "yAxisMajorTickVisibility": "hide",
                "xAxisTitleVisibility": "hide",
                "yAxisTitleVisibility": "hide"
            },
            "dataSources": {
                "primary": "episodesBySeveritySearch"
            }
        },
        "noiseReduction": {
            "title": "Current User",
            "type": "splunk.table",
            "context": {
                "backgroundColorThresholds": [
                    {
                        "from": 95,
                        "value": "#65a637"
                    },
                    {
                        "from": 90,
                        "to": 95,
                        "value": "#6db7c6"
                    },
                    {
                        "from": 87,
                        "to": 90,
                        "value": "#f7bc38"
                    },
                    {
                        "from": 85,
                        "to": 87,
                        "value": "#f58f39"
                    },
                    {
                        "to": 85,
                        "value": "#d93f3c"
                    }
                ]
            },
            "dataSources": {
                "primary": "noiseReductionSearch"
            },
            "showProgressBar": false,
            "showLastUpdated": false
        },
        "percentAck": {
            "title": "Episodes Acknowledged for Current User",
            "type": "splunk.singlevalue",
            "options": {
                "backgroundColor": "#ffffff",
                "numberPrecision": 2,
                "sparklineDisplay": "off",
                "trendDisplay": "off",
                "trendValue": 0,
                "unit": "%"
            },
            "dataSources": {
                "primary": "percentAckSearch"
            }
        },
        "mtta": {
            "title": "Mean Time to Acknowledged for Current User",
            "type": "splunk.singlevalue",
            "options": {
                "backgroundColor": "#ffffff",
                "sparklineDisplay": "off",
                "trendDisplay": "off",
                "trendValue": 0,
                "unit": "minutes"
            },
            "dataSources": {
                "primary": "mttaSearch"
            }
        }
    },
    "layout": {
        "type": "grid",
        "options": {
            "display": "auto-scale",
            "height": 240,
            "width": 1440
        },
        "structure": [
            {
                "item": "mttr",
                "type": "block",
                "position": {
                    "x": 0,
                    "y": 0,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "episodesBySeverity",
                "type": "block",
                "position": {
                    "x": 288,
                    "y": 0,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "noiseReduction",
                "type": "block",
                "position": {
                    "x": 576,
                    "y": 0,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "percentAck",
                "type": "block",
                "position": {
                    "x": 864,
                    "y": 0,
                    "w": 288,
                    "h": 220
                }
            },
            {
                "item": "mtta",
                "type": "block",
                "position": {
                    "x": 1152,
                    "y": 0,
                    "w": 288,
                    "h": 220
                }
            }
        ]
    }
}

 

 

 

 

 

 

 

 

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...