Hello community, I need to set up a dashboard that tracks the status of an alert from Splunk OnCall. An alert can have 2 to 3 statuses and I would like to retrieve the _time of each step and keep it...
See more...
Hello community, I need to set up a dashboard that tracks the status of an alert from Splunk OnCall. An alert can have 2 to 3 statuses and I would like to retrieve the _time of each step and keep it in memory for each state (to make duration calculations in particular) : I manage to retrieve the _time for each state in a dedicated field but I cannot transfer this value to the other states: index=oncall_prod originOnCall="Prod" incidentNumber=497764
| sort _time desc
| rex field=entityDisplayName "(?<Priorité>..) - (?<Titre>.*)"
| eval startAlert = if(alertType == "CRITICAL", _time, "")
| eval startAlert = strftime(startAlert,"%Y-%m-%d %H:%M:%S ")
| eval ackAlert = if(alertType == "ACKNOWLEDGEMENT", _time, "")
| eval ackAlert = strftime(ackAlert,"%Y-%m-%d %H:%M:%S ")
| eval endAlert = if(alertType == "RECOVERY", _time, "")
| eval endAlert = strftime(endAlert,"%Y-%m-%d %H:%M:%S ")
| table _time, incidentNumber, alertType, Priorité, Titre, startAlert, ackAlert, endAlert, ticket_EV Do you have any idea how to do this? I searched the forum but couldn't find a solution that matched my problem. Sincerely, Rajaion