Solved: Re: Do not display certain elements of a search?

Rajaion · ‎10-04-2022

Hello community,

I am having a problem with a dashboard that I am setting up based on Splunk OnCall data, in order to see the acknowledgment and resolution times for alerts.

In order to see the resolution period of my alerts, I made a dashboard that shows me the right information:

However, I sometimes have lines with two users displayed, and no more dates:

Looking at the alert in detail, I see that the item I retrieve contains two pieces of information:
One for the user who acknowledged the alert, and one for the resolution, always done by the "SYSTEM" user:

In the construction of my research, I cannot "impose" to keep only the "SYSTEM" user when I display the resolved alerts (in the context of acknowledged alerts, it is simpler because I filter the states ACKED upstream):

index="oncall_prod" routingKey=*
| search currentPhase=RESOLVED 
| dedup incidentNumber
| rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident
| eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") 
| eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ")
| eval temps_ack = tostring((ack_time - create_time), "duration")
| eval create_time=((create_time)+7200)
| eval ack_time=((ack_time)+7200)
| eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ")
| eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ")
| eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ")
| rename temps_ack as Temps_Traitement
| table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

Do you have any idea what changes I need to make to successfully see only the user linked to the resolution? I'm sure it's a stupid thing but I can't quite put my finger on it.

Best regards,

Rajaion

johnhuang · ‎10-04-2022

Looks like you're dealing with multivalue fields and you wanted to extract the first value of 'transitions{}.at' and the last value of 'transitions{}.by'.

See below in RED:

index="oncall_prod" routingKey=*
| search currentPhase=RESOLVED
| dedup incidentNumber
| rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident
| eval ack=MVINDEX(ack, 0)
| eval Utilisateur=MVINDEX(Utilisateur, -1)
| eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ")
| eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ")
| eval temps_ack = tostring((ack_time - create_time), "duration")
| eval create_time=((create_time)+7200)
| eval ack_time=((ack_time)+7200)
| eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ")
| eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ")
| eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ")
| rename temps_ack as Temps_Traitement
| table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

View solution in original post

johnhuang · ‎10-04-2022

Looks like you're dealing with multivalue fields and you wanted to extract the first value of 'transitions{}.at' and the last value of 'transitions{}.by'.

See below in RED:

index="oncall_prod" routingKey=*
| search currentPhase=RESOLVED
| dedup incidentNumber
| rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident
| eval ack=MVINDEX(ack, 0)
| eval Utilisateur=MVINDEX(Utilisateur, -1)
| eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ")
| eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ")
| eval temps_ack = tostring((ack_time - create_time), "duration")
| eval create_time=((create_time)+7200)
| eval ack_time=((ack_time)+7200)
| eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ")
| eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ")
| eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ")
| rename temps_ack as Temps_Traitement
| table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

Rajaion · ‎10-05-2022

Hi @johnhuang,

I just tested your solution and it is almost perfect, I just adjusted the MVINDEX (which I discover as a function, I learn about it every day) so that in addition to taking the user to -1, it takes also the closing time at -1. My command looks like:
index="oncall_prod" routingKey=*
| search currentPhase=RESOLVED
| dedup incidentNumber
| rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident
| eval ack=MVINDEX(ack, -1)
| eval Utilisateur=MVINDEX(Utilisateur, -1)
| eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ")
| eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ")
| eval temps_ack = tostring((ack_time - create_time), "duration")
| eval create_time=((create_time)+7200)
| eval ack_time=((ack_time)+7200)
| eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ")
| eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ")
| eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ")
| rename temps_ack as Temps_Traitement
| table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

And it does not impact when I switch my same request with ACKED (instead of RESOLVED). Thank you for your help.

Best regards,

Rajaion

johnhuang · ‎10-05-2022

"| eval ack=MVINDEX(ack, -1)" gives you the last value of the multivalue field which in this case is the system resolved time.

If the multivalue field consistently contains 2 values, you can use MVINDEX(ack, 0) to get the first value and MVINDEX(ack, 1) to extract the second (or last) value. However in cases where the number of values are unknown or inconsistent and you want to extract the last value, then using MVINDEX(ack, -1) does the trick.

Rajaion · ‎10-05-2022

Thanks for the precision. In my case, the last value will necessarily be that of the resolution (and the only other, that of the potential acknowledgment) so it fits exactly in my case. But I take good note of the function of "MVINDEX" for other needs.

Rajaion

gcusello · ‎10-04-2022

Hi @Rajaion,

let me understand:

you sometimes have in the user name two values "system" and another one in the same event.

Now you want to take only the values "SYSTEM", is it correct?

if this is your requirement, you could add mvexpand utilisateur and filter for this field, please try someting like this:

index="oncall_prod" routingKey=*
| search currentPhase=RESOLVED 
| dedup incidentNumber
| rename transitions{}.at as ack, transitions{}.by as Utilisateur, incidentNumber as N_Incident, entityDisplayName as Nom_Incident
| eval create_time = strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") 
| eval ack_time = strptime(ack,"%Y-%m-%dT%H:%M:%SZ")
| eval temps_ack = tostring((ack_time - create_time), "duration")
| eval create_time=((create_time)+7200)
| eval ack_time=((ack_time)+7200)
| eval Debut_Incident = strftime(create_time,"%Y-%m-%d %H:%M:%S ")
| eval Traitement = strftime(ack_time,"%Y-%m-%d %H:%M:%S ")
| eval temps_ack = strftime(strptime(temps_ack, "%H:%M:%S"), "%H:%M:%S ")
| rename temps_ack as Temps_Traitement
| mvexpand Utilisateur
| search Utilisateur=SYSTEM
| table N_Incident, Nom_Incident, Debut_Incident, Traitement, Temps_Traitement, Utilisateur

Ciao.

Giuseppe

Rajaion · ‎10-05-2022

Hi @gcusello ,

Thanks for your solution. I tested it but I end up with a problem, it is that I do not see the dates, I have the impression that it just removes the other name to keep only SYSTEM, which is good in itself but does not take into account the solving time and the calculation that goes behind it:

With the other solution, I manage to recover the processing time. However, I keep your solution that I will apply to other of my dashboards.

Best regards,

Do not display certain elements of a search?

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?