Solved: Re: SLA reporting in SPL

dm2 · ‎01-31-2024

Hi,

I have this query that calulates how much time the alerts are open, so far so good, but unfortunatelly if the rule name repeats (duplicate rule name) in a new event, then now() function does not know how to calculate the correct time for the first rule that triggered.

How can I calculate SLA time without deleting duplicates and keeping the same structure as showed in the picture ?

ITWhisperer · ‎02-05-2024

Why are you formatting the two times before performing your calculation? Subtracting one string from another doesn't give you a number!

View solution in original post

dm2 · ‎02-05-2024

How can I sum all the time together ? stats sum did not work for me, and in addition, I need to add also
| stats count(event_id) and get the count of critical alerts in order to do Event Count / Total Time and get an average of how much time takes to close alert by severity.

ITWhisperer · ‎02-05-2024

As I said before, you can't do calculations on strings! Try this

| stats avg(eval(incident_review_time-notable_time)) as average

dm2 · ‎02-05-2024

Hi, Can you help with this one? time_difference remains empty after the calculation

ITWhisperer · ‎02-05-2024

Why are you formatting the two times before performing your calculation? Subtracting one string from another doesn't give you a number!

dm2 · ‎02-05-2024

WORKS! thank you

dm2 · ‎02-01-2024

I tried the same concept for a different query and did not run:
This one calculates how much time took the alert to be closed on the incident manager

ITWhisperer · ‎02-01-2024

Not quite - your fieldformat is using strftime rather than tostring

dm2 · ‎02-01-2024

WORKED! And this is my final query. TY

dm2 · ‎02-01-2024

Exactly, This is my search

`notable_by_id("*")`
| search status_end="false"
| where severity IN ("high", "critical")
| eval time_difference=tostring(now() - _time)
| eval time_difference = strftime(time_difference, "%H:%M:%S")
| table _time, time_difference, rule_name, owner, status_label, "Audit Category", urgency
| rename status_label as Status

ITWhisperer · ‎02-01-2024

So, why not use tostring with duration as I suggested?

dm2 · ‎01-31-2024

that worked for 2 results but not for the last one

ITWhisperer · ‎01-31-2024

For the last one, it should be 1+01:02:10 to signify 1 day + 1 hour, 2 minutes and 10 seconds, but since you haven't shown your complete search, it is difficult to know why you are missing the "1+"

dm2 · ‎02-05-2024

How can I round/get rid off the decimals after the seconds?

ITWhisperer · ‎02-05-2024

Try combining the two lines

| eval time_difference=tostring(round(incident_review_time - notable_time, 0), "duration")

ITWhisperer · ‎01-31-2024

It is not clear what you are trying to achieve when _time is from the previous day.

Also, note that you could consider using

| eval time_difference=tostring(now() - _time, "duration")

SLA reporting in SPL

eval

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation