So, I have been struggling with this for a few days. I have thrown it against generative AI and not getting exactly what I want. We have a requirement to ensure a percentage of timely critical even...
See more...
So, I have been struggling with this for a few days. I have thrown it against generative AI and not getting exactly what I want. We have a requirement to ensure a percentage of timely critical event completion investigation per month for Critical and High notable events in Splunk ES. I have this query which gives me the numerator and denominator for the events, but does not break it out by Urgency/Severity: | inputlookup incident_review_workflow_audit
| where notable_time > relative_time(now(), "-1mon@mon")
AND notable_time < relative_time(now(), "@mon")
| eval
EventOpenedEpoch = notable_time,
TriageStartedEpoch = triage_time,
ResolutionEpoch = notable_time + new_to_resolution_duration,
DaysInNewStatus = round(new_duration/86400,2),
DaysToResolution = round(new_to_resolution_duration/86400,2)
| where new_to_resolution_duration>0
| eval
"Event Opened" = strftime(EventOpenedEpoch, "%Y-%m-%d %H:%M:%S"),
"Triage process started" = strftime(TriageStartedEpoch, "%Y-%m-%d %H:%M:%S"),
"Event Resolved" = strftime(ResolutionEpoch, "%Y-%m-%d %H:%M:%S")
| rename rule_id AS "Event ID"
| table
"Event ID",
"Event Opened",
"Triage process started",
"Event Resolved",
DaysInNewStatus,
DaysToResolution
| sort - DaysToResolution Event ID Event Opened Triage process started Event Resolved DaysInNewStatus DaysToResolution 4160DC1A-7DF2-4F18-A229-2BA45F1ED9FA@@notable@@e90ff7db7d8ff92bbe8aa4566c1bab37 2025-07-05 02:02:13 2025-07-07 09:39:07 2025-07-21 13:26:26 2.32 16.48 7C412294-C46A-448A-8170-466CE301D56A@@notable@@0feff824336394dbe4dcbedcbf980238 2025-07-05 02:02:08 2025-07-07 09:39:07 2025-07-21 13:26:26 2.32 16.48 This query does give me the Urgency for events, but does not give me time to resolution: `notable` | search (urgency=critical) | eval startTime=strftime (_time, "%Y-%m-%d %H:%M:%S") | table startTime, rule_id source comment urgency reviewer status_description owner_realname status_label startTime rule_id source comment urgency reviewer status_description owner_realname status_label 2025-07-29 09:30:16 4160DC1A-7DF2-4F18-A229-2BA45F1ED9FA@@notable@@5ebbdf0e0821b477785b018e29d44973 Endpoint - ADFS Smart Lockout Events - Rule critical Event has not been reviewed. unassigned New 2025-07-29 09:30:12 AD72F249-8457-4D5E-9557-9621E2F5D3FF@@notable@@3043a1f3a2fbc3f92f67800a066ada66 Endpoint - ADFS Smart Lockout Events - Rule critical Event has not been reviewed. unassigned New 2025-07-29 07:15:18 7C412294-C46A-448A-8170-466CE301D56A@@notable@@54a0ffabacbf083cb7f2e370937fc2bf Endpoint - ADFS Smart Lockout Events - Rule The event has been triaged critical abcde00 Initial analysis of threat John Doe Triage Trying to combine them to get time to resolution plus urgency (so I can filter on urgency) has been a complete mess. If I do manage to combine them by trimming around the Event ID / rule_id, it doesn't give me the expected number or half the time it is missing the urgency. Is there something I am missing, or is this even possible? Thanks in advance.