Re: Check status in progress with closed/resolved

l-mss-n3 · ‎07-03-2015

Hi,

I am trying to create an alert that I need check if status "work in progress" was opened for more than 1 hour, if status work in progress was opened for than 1 hour and doesn't have the status resolved or closed trigger the alert.

My search eventtype=sc_status | search id!="" AND (status="work in progress" OR status="closed" OR status="Resolved") | search id="IM5020749" | table _time, id, status

Return this:
_time id status
2015-07-03 11:55:40 IM5020749 Resolved
2015-07-03 10:03:36 IM5020749 Work in progress

alacercogitatus · ‎07-03-2015

Try this search:

eventtype=sc_status  ( status="work in progress" OR status="closed" OR status="Resolved") | transaction id startswith="work in progress" endswith="Resolved" maxspan=4h | search duration > 3600 | stats count by id status

This will pull all the events you require, combine them using transaction, and then only return the ones that are over an hour in duration.

l-mss-n3 · ‎07-06-2015

This search works well, however the search returns always Work in progress+Resolved and I would like the alert shows me status work in progress opened for more than 1 hour.

Check status in progress with closed/resolved

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation