Splunk Search

Builder

Hi All, Need some guidance for calculating SLA  Achieved percentage column.

This is how my results look like after running base search

 Severity Count_of_Alerts Mean_Time_To_Close SLA Target SLA Achieved  in % S1 10 7 mins 8 secs 15 mins S2 5 6 mins 25 secs 45 min

I have referenced solution provided by @ITWhisperer in https://community.splunk.com/t5/Splunk-Search/adding-percentage-of-SLA-breach/m-p/572942#M199687  but in my case we also have count column.   We are ok with considering only the minutes portion of the Time_to_Close and ignoring the secs if too complicated.

How can i calculate my SLA achieved in % . Is it as simple as doing a
| eval SLA_Achieved = (Mean_Time_to_close*SLA_Target)/100

One further optimization would if the SLA % achieved is less than the Target, then perhaps color that cell green else Red in color (something on that lines).

Labels (1)
• ### fields

Tags (1)
1 Solution
SplunkTrust

I suspect the uptime2string macro is converting your times (which might well have been in seconds) to various strings. Try doing your calculations prior to this macro, or indeed prior to the stats command which is aggregating all the events and effectively removing any useful detail that you would need to work out your achievement rates.

SplunkTrust

Depending on how you are measuring compliance, you may not have sufficient information here.

Your mean time to close for S1 is less than your target so compliance is 100%. Similarly for S2.

However, if you want to know the percentage of S1 tickets were closed within the target time, you need to count the number that were below the target and divide that by the total number of tickets for that severity.

Builder

Thank you for responding. Can we not just divide the (Avg_time_to_close value / SLA_Target )* 100, that answer will give me the SLA_Achieved percentage. That is how we are doing it manually in Excel right now.

But confusing part here how to calculate this value per severity (as in per row)

SplunkTrust

You can do any calculation you like - the question is what does that calculation tell you?

Suppose for S1 your mean time to close is 30 minutes, and you have a target of 15 minutes. If you do the calculation you are suggesting, this comes out at 200% achievement! Is this really the value you want to report? Firstly, how can double the number of tickets you have, have "achieved" the target SLA?

Given that I suspect you want to know how many of your tickets were closed in under the target time (not over), the calculation you are suggesting does not tell you this.

Builder

Upvoted your post. Thanks again.  I get now that i need to calculate based on count below target/count above target.   Any advice on how to convert the field  like avg_ttr (shown below) which looks like 1 hours 10 minutes  to minutes only( as in 70 mins). so that it will allow us to compare with the SLA target of 45 mins  ?

SplunkTrust

I suspect the uptime2string macro is converting your times (which might well have been in seconds) to various strings. Try doing your calculations prior to this macro, or indeed prior to the stats command which is aggregating all the events and effectively removing any useful detail that you would need to work out your achievement rates.

Get Updates on the Splunk Community!

#### .conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

#### Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

#### Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...