Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk IT Service Intelligence
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Premium Solutions
- :
- IT Ops Premium Solutions
- :
- Splunk IT Service Intelligence
- :
- How to Filter Episode Review statistics to current...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Filter Episode Review statistics to current user?
srauhala_splunk
Splunk Employee
08-15-2023
05:10 AM
Related to ITSIID-I-326
"ITSI's Episode Review shows several KPI’s such as MTTR, Episodes by Severity, Total Noise Reduction etc. which are made up by all episodes in ITSI. It would be great if this view was customisable so that every ITSI user only sees the KPI’s for the episodes that this user is taking care of. For example, if there are several people using ITSI - an analyst would only see MTTR or Episodes by Severity for the episodes that he or she is working on."
The dashboard in Episode Review can be customised to display different visualisation, tables and search results.
As a proof of concept I created a similar dashbord to the original that is delivered for Episode review, but added search filters to the current logged in user.
{
"dataSources": {
"mttrSearch": {
"options": {
"query": "| tstats earliest(_time) as t1 where `itsi_notable_audit_index` activity=\"*resolved*\" [| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | fields user \n | format] by event_id \n| append \n [| tstats earliest(itsi_first_event_time) as t2 where `itsi_event_management_group_index` by itsi_group_id] \n| eval match_id=coalesce(event_id,itsi_group_id) \n| stats values(*) AS * by match_id \n| search event_id=* itsi_group_id=* \n| eval diff=t1-t2 \n| stats avg(diff) as t3 \n| eval avgDuration = round(t3/60,0) \n| fields - t3",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "mttr"
},
"episodesBySeveritySearch": {
"options": {
"query": "| tstats count where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=* by itsi_group_id \n| lookup itsi_notable_group_user_lookup _key AS itsi_group_id OUTPUT owner severity status instruction \n| search [| rest /services/authentication/current-context splunk_server=local \n | eval owner = username \n | fields owner \n | format]\n| lookup itsi_notable_group_system_lookup _key AS itsi_group_id OUTPUT title description start_time last_time is_active event_count \n| stats count as \"Count\" by severity \n| sort - severity \n| eval severity=case(severity=1,\"Information\",severity=2,\"Normal\",severity=3,\"Low\",severity=4,\"Medium\",severity=5,\"High\",severity=6,\"Critical\") \n| rename severity as \"Severity\"",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "ebs"
},
"noiseReductionSearch": {
"options": {
"query": "| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | table user, roles",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "CU"
},
"percentAckSearch": {
"options": {
"query": "| tstats count as Acknowledged where index=itsi_notable_audit activity=*acknowledged* \n [| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | fields user \n | format] \n| appendcols \n [| tstats dc(itsi_group_id) as total where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=*] \n| eval acknowledgedPercent=(Acknowledged/total)*100 \n| table acknowledgedPercent",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "EACK"
},
"mttaSearch": {
"options": {
"query": "| tstats earliest(_time) as t1 where index=itsi_notable_audit activity=\"*acknowledged*\" \n [| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | fields user \n | format] by event_id \n| append \n [| tstats earliest(itsi_first_event_time) as t2 where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=* by itsi_group_id] \n| eval match_id=coalesce(event_id,itsi_group_id) \n| stats values(*) AS * by match_id \n| search event_id=* itsi_group_id=* \n| eval diff=t1-t2 \n| stats avg(diff) as t3 \n| eval avgDuration = round(t3/60,0) \n| fields - t3",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "MTTA"
}
},
"visualizations": {
"mttr": {
"title": "Mean Time to Resolve for Current User",
"type": "splunk.singlevalue",
"options": {
"backgroundColor": "#ffffff",
"sparklineDisplay": "off",
"trendDisplay": "off",
"trendValue": 0,
"unit": "minutes"
},
"dataSources": {
"primary": "mttrSearch"
}
},
"episodesBySeverity": {
"title": "Episodes by Severity for Current User",
"type": "splunk.bar",
"options": {
"backgroundColor": "#ffffff",
"barSpacing": 5,
"dataValuesDisplay": "all",
"legendDisplay": "off",
"showYMajorGridLines": false,
"yAxisLabelVisibility": "hide",
"xAxisMajorTickVisibility": "hide",
"yAxisMajorTickVisibility": "hide",
"xAxisTitleVisibility": "hide",
"yAxisTitleVisibility": "hide"
},
"dataSources": {
"primary": "episodesBySeveritySearch"
}
},
"noiseReduction": {
"title": "Current User",
"type": "splunk.table",
"context": {
"backgroundColorThresholds": [
{
"from": 95,
"value": "#65a637"
},
{
"from": 90,
"to": 95,
"value": "#6db7c6"
},
{
"from": 87,
"to": 90,
"value": "#f7bc38"
},
{
"from": 85,
"to": 87,
"value": "#f58f39"
},
{
"to": 85,
"value": "#d93f3c"
}
]
},
"dataSources": {
"primary": "noiseReductionSearch"
},
"showProgressBar": false,
"showLastUpdated": false
},
"percentAck": {
"title": "Episodes Acknowledged for Current User",
"type": "splunk.singlevalue",
"options": {
"backgroundColor": "#ffffff",
"numberPrecision": 2,
"sparklineDisplay": "off",
"trendDisplay": "off",
"trendValue": 0,
"unit": "%"
},
"dataSources": {
"primary": "percentAckSearch"
}
},
"mtta": {
"title": "Mean Time to Acknowledged for Current User",
"type": "splunk.singlevalue",
"options": {
"backgroundColor": "#ffffff",
"sparklineDisplay": "off",
"trendDisplay": "off",
"trendValue": 0,
"unit": "minutes"
},
"dataSources": {
"primary": "mttaSearch"
}
}
},
"layout": {
"type": "grid",
"options": {
"display": "auto-scale",
"height": 240,
"width": 1440
},
"structure": [
{
"item": "mttr",
"type": "block",
"position": {
"x": 0,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "episodesBySeverity",
"type": "block",
"position": {
"x": 288,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "noiseReduction",
"type": "block",
"position": {
"x": 576,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "percentAck",
"type": "block",
"position": {
"x": 864,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "mtta",
"type": "block",
"position": {
"x": 1152,
"y": 0,
"w": 288,
"h": 220
}
}
]
}
}
Get Updates on the Splunk Community!
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...
.conf24 | Session Scheduler is Live!!
.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...
Introducing the Splunk Community Dashboard Challenge!
Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...
