Splunk ITSI

How to create a search that returns the episodeid for all episodes for a given emid and timeframe?

BDavis
Loves-to-Learn

Need a search that returns the episodeid for all episodes for a given emid and timeframe .. this is available from the 'Share Episode' dropdown for episodes displayed in the Episode Review page, I need a background search that would return this info.  

Labels (1)
0 Karma

Nancywheeler60
Explorer

Hii!

To create a search that returns the episode ID for all episodes within a specific timeframe and associated with a particular EMID, you will need to perform the following steps:

  1. Access the database or source of data where the episode and EMID information is stored.

  2. Use a query language or programming language that can interface with the database or data source.

  3. Write a query that filters the episodes based on the given EMID and timeframe. For example, you can use SQL to create a SELECT statement that filters by the EMID and a BETWEEN clause to specify the timeframe.

  4. Execute the query and retrieve the episode IDs for the filtered episodes.

  5. Return the episode IDs to the user or store them in a data structure for further processing.

Overall, the specific implementation details of this search will depend on the specific data source and technologies you are using.

I hope this will help you.

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! 

The episode id is (itsi_group_id) available for all episodes in the itsi_grouped_alerts index and from the _key in itsi_notable_group_system_lookup.  The emid is the saved "Episode Review" id. The Episode Review can have some predefined episode filters and UI settings. 

There is no relation between an episode and an "Episode Review". Episode Review will show all episodes that qualifies for the selected timeframe and other filters. 

Here is a small example dashboard to create your own links to episodes. 

<dashboard version="1.1">
  <label>Link To Episode</label>
  <row>
    <panel>
      <table>
        <title>Active Episodes</title>
        <search>
          <query>| inputlookup itsi_notable_group_system_lookup where is_active=1
| eval itsi_group_id=_key, _time = last_time
| table _time, title, itsi_group_id
| sort - _time limit=0</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">cell</option>
        <drilldown>
          <link target="_blank">/app/itsi/itsi_event_management?episodeid=$row.itsi_group_id$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

 

 

0 Karma

BDavis
Loves-to-Learn

That works .. Thanks!

0 Karma

BDavis
Loves-to-Learn

But having trouble getting the link to work if the episode is outside a 24 hr timespan .. which is the default for the Episode Review page .. says no results for episodes outside the past 24 hrs. 

0 Karma

BDavis
Loves-to-Learn

Found the problem .. need to pass earliest and latest to the link .. thanks

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...