Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Snow ITSM dashboards

Splunk3
Explorer
‎01-04-2024 07:31 AM

Hi , 

I have snow data for change requests in splunk, I want to create a dashboard which gives the average duration of change request ( from actual start date and actual end date ) for type of the change . 

type of change can derived from short_description field. 

 

On y-axis ( average duration ) and on x -axis ( type of change request( short_description) , I have written this query but this is not giving the average duration of change . The result which I am getting is too high , may be its calculating for all the events for same change number . Not sure .

 

index=servicenow short_description IN ("abc", "xyz", "123")
| eval start_date_epoch = strptime(dv_opened_at, "%Y-%m-%d %H:%M:%S"), end_date_epoch = strptime(dv_closed_at, "%Y-%m-%d %H:%M:%S")
| eval duration_hours = (end_date_epoch - start_date_epoch ) /3600
| eval avg_duration = round (avg_duration_hours, 0)
| stats avg(duration_hours) as avg_duration by change_number, short_description
| eventstats avg(avg_duration) as overall_avg_duration by short_description | eval ocb = round (overall_avg_duration ,0)
| table short_description, ocb

 

Labels (3)
Tags (1)
0 Karma
Reply

tscroggins
Influencer
‎01-06-2024 02:17 PM

Hi @Splunk3,

If you're using Splunk Add-on for ServiceNow, new copies of table records are indexed by Splunk whenever the inputs sees a newer timestamp value in e.g. sys_updated_on. You most likely want to calculate durations from the latest instance of the record indexed by Splunk:

index=servicenow sourcetype=snow:change_request short_description IN ("abc", "xyz", "123")
| stats latest(short_description) as short_description latest(eval(strptime(dv_closed_at, "%F %T")-strptime(dv_opened_at, "%F %T"))) as duration_secs by sys_id
| stats avg(eval(duration_secs/3600)) as avg_duration_hours by short_description

I'm using stats aggregation eval shortcuts, but at a high level, the search finds the most recent short_description and calculates the most recent duration by sys_id, and then calculates the average duration by short_description.

If your changes are opened for long periods of time before approval and implementation, you may prefer to use the work_start and work_end fields or their equivalents, depending on your use case. Most orgs customize the change workflow and schemas to fit their service model.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...