Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk IT Service Intelligence
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Premium Solutions
- :
- IT Ops Premium Solutions
- :
- Splunk IT Service Intelligence
- :
- How to Filter Episode Review statistics to current...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Filter Episode Review statistics to current user?
srauhala_splunk
Splunk Employee
08-15-2023
05:10 AM
Related to ITSIID-I-326
"ITSI's Episode Review shows several KPI’s such as MTTR, Episodes by Severity, Total Noise Reduction etc. which are made up by all episodes in ITSI. It would be great if this view was customisable so that every ITSI user only sees the KPI’s for the episodes that this user is taking care of. For example, if there are several people using ITSI - an analyst would only see MTTR or Episodes by Severity for the episodes that he or she is working on."
The dashboard in Episode Review can be customised to display different visualisation, tables and search results.
As a proof of concept I created a similar dashbord to the original that is delivered for Episode review, but added search filters to the current logged in user.
{
"dataSources": {
"mttrSearch": {
"options": {
"query": "| tstats earliest(_time) as t1 where `itsi_notable_audit_index` activity=\"*resolved*\" [| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | fields user \n | format] by event_id \n| append \n [| tstats earliest(itsi_first_event_time) as t2 where `itsi_event_management_group_index` by itsi_group_id] \n| eval match_id=coalesce(event_id,itsi_group_id) \n| stats values(*) AS * by match_id \n| search event_id=* itsi_group_id=* \n| eval diff=t1-t2 \n| stats avg(diff) as t3 \n| eval avgDuration = round(t3/60,0) \n| fields - t3",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "mttr"
},
"episodesBySeveritySearch": {
"options": {
"query": "| tstats count where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=* by itsi_group_id \n| lookup itsi_notable_group_user_lookup _key AS itsi_group_id OUTPUT owner severity status instruction \n| search [| rest /services/authentication/current-context splunk_server=local \n | eval owner = username \n | fields owner \n | format]\n| lookup itsi_notable_group_system_lookup _key AS itsi_group_id OUTPUT title description start_time last_time is_active event_count \n| stats count as \"Count\" by severity \n| sort - severity \n| eval severity=case(severity=1,\"Information\",severity=2,\"Normal\",severity=3,\"Low\",severity=4,\"Medium\",severity=5,\"High\",severity=6,\"Critical\") \n| rename severity as \"Severity\"",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "ebs"
},
"noiseReductionSearch": {
"options": {
"query": "| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | table user, roles",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "CU"
},
"percentAckSearch": {
"options": {
"query": "| tstats count as Acknowledged where index=itsi_notable_audit activity=*acknowledged* \n [| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | fields user \n | format] \n| appendcols \n [| tstats dc(itsi_group_id) as total where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=*] \n| eval acknowledgedPercent=(Acknowledged/total)*100 \n| table acknowledgedPercent",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "EACK"
},
"mttaSearch": {
"options": {
"query": "| tstats earliest(_time) as t1 where index=itsi_notable_audit activity=\"*acknowledged*\" \n [| rest /services/authentication/current-context splunk_server=local \n | eval user = username \n | fields user \n | format] by event_id \n| append \n [| tstats earliest(itsi_first_event_time) as t2 where index=itsi_grouped_alerts sourcetype=itsi_notable:group NOT source=itsi@internal@group_closing_event NOT itsi_dummy_closing_flag=* NOT itsi_bdt_event=* by itsi_group_id] \n| eval match_id=coalesce(event_id,itsi_group_id) \n| stats values(*) AS * by match_id \n| search event_id=* itsi_group_id=* \n| eval diff=t1-t2 \n| stats avg(diff) as t3 \n| eval avgDuration = round(t3/60,0) \n| fields - t3",
"queryParameters": {
"earliest": "$earliest_time$",
"latest": "$latest_time$"
}
},
"type": "ds.search",
"name": "MTTA"
}
},
"visualizations": {
"mttr": {
"title": "Mean Time to Resolve for Current User",
"type": "splunk.singlevalue",
"options": {
"backgroundColor": "#ffffff",
"sparklineDisplay": "off",
"trendDisplay": "off",
"trendValue": 0,
"unit": "minutes"
},
"dataSources": {
"primary": "mttrSearch"
}
},
"episodesBySeverity": {
"title": "Episodes by Severity for Current User",
"type": "splunk.bar",
"options": {
"backgroundColor": "#ffffff",
"barSpacing": 5,
"dataValuesDisplay": "all",
"legendDisplay": "off",
"showYMajorGridLines": false,
"yAxisLabelVisibility": "hide",
"xAxisMajorTickVisibility": "hide",
"yAxisMajorTickVisibility": "hide",
"xAxisTitleVisibility": "hide",
"yAxisTitleVisibility": "hide"
},
"dataSources": {
"primary": "episodesBySeveritySearch"
}
},
"noiseReduction": {
"title": "Current User",
"type": "splunk.table",
"context": {
"backgroundColorThresholds": [
{
"from": 95,
"value": "#65a637"
},
{
"from": 90,
"to": 95,
"value": "#6db7c6"
},
{
"from": 87,
"to": 90,
"value": "#f7bc38"
},
{
"from": 85,
"to": 87,
"value": "#f58f39"
},
{
"to": 85,
"value": "#d93f3c"
}
]
},
"dataSources": {
"primary": "noiseReductionSearch"
},
"showProgressBar": false,
"showLastUpdated": false
},
"percentAck": {
"title": "Episodes Acknowledged for Current User",
"type": "splunk.singlevalue",
"options": {
"backgroundColor": "#ffffff",
"numberPrecision": 2,
"sparklineDisplay": "off",
"trendDisplay": "off",
"trendValue": 0,
"unit": "%"
},
"dataSources": {
"primary": "percentAckSearch"
}
},
"mtta": {
"title": "Mean Time to Acknowledged for Current User",
"type": "splunk.singlevalue",
"options": {
"backgroundColor": "#ffffff",
"sparklineDisplay": "off",
"trendDisplay": "off",
"trendValue": 0,
"unit": "minutes"
},
"dataSources": {
"primary": "mttaSearch"
}
}
},
"layout": {
"type": "grid",
"options": {
"display": "auto-scale",
"height": 240,
"width": 1440
},
"structure": [
{
"item": "mttr",
"type": "block",
"position": {
"x": 0,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "episodesBySeverity",
"type": "block",
"position": {
"x": 288,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "noiseReduction",
"type": "block",
"position": {
"x": 576,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "percentAck",
"type": "block",
"position": {
"x": 864,
"y": 0,
"w": 288,
"h": 220
}
},
{
"item": "mtta",
"type": "block",
"position": {
"x": 1152,
"y": 0,
"w": 288,
"h": 220
}
}
]
}
}
Get Updates on the Splunk Community!
Index This | I’m short for "configuration file.” What am I?
May 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with a Special ...
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Your Guide to SPL2 at .conf24!
So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...
