Hi all, I'm hoping someone could help assist with refining an SPL query to extract escalation data from Mission Control. The query is largely functional (feel free to steal borrow it), but I am en...
See more...
Hi all, I'm hoping someone could help assist with refining an SPL query to extract escalation data from Mission Control. The query is largely functional (feel free to steal borrow it), but I am encountering a few issues: Status Name Field: This field, intended to provide the status of the incident (with a default value if not specified), is currently returning blank results. Summary and Notes Fields: These fields are returning incorrect data, displaying random strings instead of the expected information. Escalation Priority: The inclusion of the "status" field was an attempt to retrieve escalation priority, but it is populating with a random field that does not accurately reflect the case priority (1-5). I also tried to use the mc_investigations_lookup table but this too doesn't display current case statue or priority. Any guidance or support in resolving these issues would be greatly appreciated. SPL: | mcincidents | `get_realname(creator)` | fieldformat create_time=strftime(create_time, "%c") | eval _time=create_time, id=title | `investigation_get_current_status` | `investigation_get_collaborator_count` | spath output=collaborators input=collaborators path={}.name | sort -create_time | eval age=toString(now()-create_time, "duration") | eval new_time=strftime(create_time,"%Y-%m-%d %H:%M:%S.%N") | eval time=rtrim(new_time,"0") | table time, age, status, status_name, display_id, name, description, assignee, summary