Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk ITSI
- :
- Re: Need a search that returns the episodeid for a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a search that returns the episodeid for all episodes for a given emid and timeframe?
Need a search that returns the episodeid for all episodes for a given emid and timeframe .. this is available from the 'Share Episode' dropdown for episodes displayed in the Episode Review page, I need a background search that would return this info.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hii!
To create a search that returns the episode ID for all episodes within a specific timeframe and associated with a particular EMID, you will need to perform the following steps:
Access the database or source of data where the episode and EMID information is stored.
Use a query language or programming language that can interface with the database or data source.
Write a query that filters the episodes based on the given EMID and timeframe. For example, you can use SQL to create a SELECT statement that filters by the EMID and a BETWEEN clause to specify the timeframe.
Execute the query and retrieve the episode IDs for the filtered episodes.
Return the episode IDs to the user or store them in a data structure for further processing.
Overall, the specific implementation details of this search will depend on the specific data source and technologies you are using.
I hope this will help you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
The episode id is (itsi_group_id) available for all episodes in the itsi_grouped_alerts index and from the _key in itsi_notable_group_system_lookup. The emid is the saved "Episode Review" id. The Episode Review can have some predefined episode filters and UI settings.
There is no relation between an episode and an "Episode Review". Episode Review will show all episodes that qualifies for the selected timeframe and other filters.
Here is a small example dashboard to create your own links to episodes.
<dashboard version="1.1">
<label>Link To Episode</label>
<row>
<panel>
<table>
<title>Active Episodes</title>
<search>
<query>| inputlookup itsi_notable_group_system_lookup where is_active=1
| eval itsi_group_id=_key, _time = last_time
| table _time, title, itsi_group_id
| sort - _time limit=0</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<drilldown>
<link target="_blank">/app/itsi/itsi_event_management?episodeid=$row.itsi_group_id$</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That works .. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But having trouble getting the link to work if the episode is outside a 24 hr timespan .. which is the default for the Episode Review page .. says no results for episodes outside the past 24 hrs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the problem .. need to pass earliest and latest to the link .. thanks
Fall Into Learning with New Splunk Education Courses
Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...
How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes
