Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How does Splunk calculate Time to Triage?

-Chris-
Observer
‎06-01-2022 12:53 AM

How does Splunk calculate Time to Triage, what data does it use? e.g. time an event occurred and time the event was put modified or put in pending etc.?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-01-2022 03:52 AM

Hi @-Chris-,

it isn't so clear for me what you mean with "Time to triage"

if you mean the time that Splunk need to index a log, it's very low and depends on the time requested to transfer data from Universal Forwarder to Indexer, then it depends on the queue that you can monitor using the Monitor Console.

It's possible to modify data only before indexing, during the parsing phase, after data are uneditable, and they are pending only if there are queues that you can see using the Monitor Console.

Ciao.

Giuseppe

0 Karma
Reply

-Chris-
Observer
‎06-01-2022 04:29 AM

Example: https://community.splunk.com/t5/Splunk-Search/Mean-Time-To-Triage/m-p/568484

This is specifically related to Splunk ES and Notable Events (NE). We assume that TTT is the time that an NE fires how long until it is next modified, e.g. the status is changed. We want to confirm this.

0 Karma
Reply

-Chris-
Observer
‎06-01-2022 08:41 PM

More investigation looks like it uses a field called "duration"? But we can't see how it is calculated or what process steps influence the duration. i.e update timestamps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...