Splunk Search

SLA reporting in SPL

dm2
Explorer

Hi, 

I have this query that calulates how much time the alerts are open, so far so good, but unfortunatelly if the rule name repeats (duplicate rule name) in a new event, then now() function does not know how to calculate the correct time for the first rule that triggered. 

How can I calculate SLA time without deleting duplicates and keeping the same structure as showed in the picture ? 

dm2_1-1706699267697.png

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Why are you formatting the two times before performing your calculation? Subtracting one string from another doesn't give you a number!

View solution in original post

0 Karma

dm2
Explorer

How can I sum all the time together ? stats sum did not work for me, and in addition, I need to add also 
| stats count(event_id) and get the count of critical alerts in order to do Event Count / Total Time and get an average of how much time takes to close alert by severity.

dm2_0-1707142614750.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As I said before, you can't do calculations on strings! Try this

| stats avg(eval(incident_review_time-notable_time)) as average
0 Karma

dm2
Explorer

Hi, Can you help with this one? time_difference remains empty after the calculation

dm2_0-1707123675744.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Why are you formatting the two times before performing your calculation? Subtracting one string from another doesn't give you a number!

0 Karma

dm2
Explorer

WORKS! thank you

dm2_0-1707125919889.png

 

0 Karma

dm2
Explorer

I tried the same concept for a different query and did not run:
This one calculates how much time took the alert to be closed on the incident manager

dm2_1-1706802676944.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not quite - your fieldformat is using strftime rather than tostring

0 Karma

dm2
Explorer

WORKED! And this is my final query. TY

`notable_by_id("*")`
| search status_end="false"
| where severity IN ("high", "critical")
| eval timenow=now()
| eval nowstring=strftime(now(), "%H:%M:%S %p")
| eval diff=now()-_time
| eval diff=tostring(diff, "duration")
| table _time, diff, rule_name, owner, status_label, "Audit Category", urgency
| rename status_label as Status
| rename diff as time_difference 

 

dm2_0-1706802517813.png

 

0 Karma

dm2
Explorer

Exactly, This is my search

`notable_by_id("*")`
| search status_end="false"
| where severity IN ("high", "critical")
| eval time_difference=tostring(now() - _time)
| eval time_difference = strftime(time_difference, "%H:%M:%S")
| table _time, time_difference, rule_name, owner, status_label, "Audit Category", urgency
| rename status_label as Status
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, why not use tostring with duration as I suggested?

0 Karma

dm2
Explorer

that worked for 2 results but not for the last one 

dm2_0-1706711558416.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For the last one, it should be 1+01:02:10 to signify 1 day + 1 hour, 2 minutes and 10 seconds, but since you haven't shown your complete search, it is difficult to know why you are missing the "1+"

0 Karma

dm2
Explorer

dm2_0-1707139447717.png

How can I round/get rid off the decimals after the seconds?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try combining the two lines

| eval time_difference=tostring(round(incident_review_time - notable_time, 0), "duration")

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear what you are trying to achieve when _time is from the previous day.

Also, note that you could consider using

| eval time_difference=tostring(now() - _time, "duration")

 

Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...