Re: Check status in progress with closed/resolved

l-mss-n3 · ‎07-03-2015

Hi,

I am trying to create an alert that I need check if status "work in progress" was opened for more than 1 hour, if status work in progress was opened for than 1 hour and doesn't have the status resolved or closed trigger the alert.

My search eventtype=sc_status | search id!="" AND (status="work in progress" OR status="closed" OR status="Resolved") | search id="IM5020749" | table _time, id, status

Return this:
_time id status
2015-07-03 11:55:40 IM5020749 Resolved
2015-07-03 10:03:36 IM5020749 Work in progress

alacercogitatus · ‎07-03-2015

Try this search:

eventtype=sc_status  ( status="work in progress" OR status="closed" OR status="Resolved") | transaction id startswith="work in progress" endswith="Resolved" maxspan=4h | search duration > 3600 | stats count by id status

This will pull all the events you require, combine them using transaction, and then only return the ones that are over an hour in duration.

l-mss-n3 · ‎07-06-2015

This search works well, however the search returns always Work in progress+Resolved and I would like the alert shows me status work in progress opened for more than 1 hour.

Check status in progress with closed/resolved

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Check status in progress with closed/resolved

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk