Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Report a value from a field to another result line

Rajaion
Path Finder
‎10-04-2024 02:32 AM

Hello community,

I need to set up a dashboard that tracks the status of an alert from Splunk OnCall. An alert can have 2 to 3 statuses and I would like to retrieve the _time of each step and keep it in memory for each state (to make duration calculations in particular) :

Rajaion_0-1728034122677.png

I manage to retrieve the _time for each state in a dedicated field but I cannot transfer this value to the other states:

 

index=oncall_prod originOnCall="Prod" incidentNumber=497764
| sort _time desc
| rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)"

| eval startAlert = if(alertType == "CRITICAL", _time, "")
| eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ")

| eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "")
| eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ")

| eval endAlert = if(alertType == "RECOVERY", _time, "")
| eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ")

| table _time, incidentNumber, alertType, Priorité, Titre, startAlert, ackAlert, endAlert, ticket_EV

 


Do you have any idea how to do this? I searched the forum but couldn't find a solution that matched my problem.

Sincerely,

Rajaion

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2024 04:58 AM 
index=oncall_prod originOnCall="Prod" incidentNumber=497764
| sort _time desc
| rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)"

| eval startAlert = if(alertType == "CRITICAL", _time, "")
| eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ")

| eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "")
| eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ")

| eval endAlert = if(alertType == "RECOVERY", _time, "")
| eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ")

| eventstats values(startAlert) as startAlert, values(ackAlert) as ackAlert, values(endAlert) as endAlert, values(ticket_EV) as ticket_EV by incidentNumber

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2024 02:54 AM 
index=oncall_prod originOnCall="Prod" incidentNumber=497764
| sort _time desc
| rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)"

| eval startAlert = if(alertType == "CRITICAL", _time, "")
| eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ")

| eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "")
| eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ")

| eval endAlert = if(alertType == "RECOVERY", _time, "")
| eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ")

| stats values(alertType) as alertType, values(Priorité) as Priorité, values(Titre) as Titre, values(startAlert) as startAlert, values(ackAlert) as ackAlert, values(endAlert) as endAlert, values(ticket_EV) as ticket_EV by incidentNumber
0 Karma
Reply
Solved! Jump to solution

Rajaion
Path Finder
‎10-04-2024 04:53 AM

Hello @ITWhisperer,

Thank you for your help, I tried to add your line but it aggregates all the lines between them and if in absolute terms, I see everything on a single line, I cannot manipulate the data (for example, put a message when there has been no acknowledgment):

Rajaion_0-1728042789945.png

Example :
| eval ticket_EV = if(alertType == "RECOVERY" AND (isnull(ackAlert)), "No ticket", ticket_EV)


Sincerely,

Rajaion

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2024 04:58 AM 
index=oncall_prod originOnCall="Prod" incidentNumber=497764
| sort _time desc
| rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)"

| eval startAlert = if(alertType == "CRITICAL", _time, "")
| eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ")

| eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "")
| eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ")

| eval endAlert = if(alertType == "RECOVERY", _time, "")
| eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ")

| eventstats values(startAlert) as startAlert, values(ackAlert) as ackAlert, values(endAlert) as endAlert, values(ticket_EV) as ticket_EV by incidentNumber
Reply
Solved! Jump to solution

Rajaion
Path Finder
‎10-04-2024 06:54 AM

This is exactly what I was looking for, I can do my difference operations this way. Thank you for your help.

Sincerely,

Rajaion

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...