Splunk Search

How to edit my current search to list all ITSM tickets where status!=Closed ?

sivasobh
Engager

Below Is the search I am using which will list the ITSM tickets in Our Group queue, but still some old tickets which are in our queue are not showing in this list. It's only taking latest list ... Can someone give a suggestion?

We use BMC Remedy for Ticketing

eventtype=itsm_incidents | sort-Last_Modified_Date_2| dedup Incident_ID | convert ctime(Reported_Date), ctime(Closed_Date), ctime(Last_Modified_Date_2), ctime(Assignment_Date) | where Status!="Closed" | where Assigned_Group="Web Platform Support L2 - All"|table Incident_ID, Last_Modified_Date_2, Closed_Date, Assigned_Group, Assignee, Product_Categorization_Tier_3, Status
0 Karma

Navanitha
Path Finder

Hey Siva,

We have a similar requirement to bring ITSM service tickets data into Splunk. Any light on how to do this or how did you do this would really help.

Thank you in advance.

0 Karma

lguinn2
Legend

I have some ideas:
1 - What is the timerange of your search? If the last entry for an incident was 90 days ago, but you are only searching the last 60 days, there will be nothing for Splunk to find.
2 - You are de-duping your data based on the Incident_ID, after reverse sorting on the Last_Modified_Date_2 (although it looks like a typo in the sort command, I will assume that it is merely a cut-and-paste error). IF the field "Last_Modified_Date_2" is always accurate and never null, then you will get what you want (the latest event in for the incident). Otherwise, it might be problematic.
3 - Finally, this has nothing to do with your problem, but your search is not as efficient as it could be. I would do this:

eventtype=itsm_incidents  Assigned_Group="Web Platform Support L2 - All"
| sort -Last_Modified_Date_2| dedup Incident_ID 
| where Status!="Closed"
| convert ctime(Reported_Date), ctime(Closed_Date), ctime(Last_Modified_Date_2), ctime(Assignment_Date) 
| table Incident_ID,Last_Modified_Date_2,Closed_Date,Assigned_Group,Assignee, Product_Categorization_Tier_3,Status
0 Karma

lguinn2
Legend

What is the timerange of your search? Would that timerange include the older tickets?

0 Karma

ChrisYang
Explorer

by the way, how did you index the tickets data from BMC Remedy ITSM? thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...