Hello, I'm still in the learning process of Splunk searches and I have been tasked to create a table that contains only open transactions based off of "where closed_txn=0". But also join a Service ...
See more...
Hello, I'm still in the learning process of Splunk searches and I have been tasked to create a table that contains only open transactions based off of "where closed_txn=0". But also join a Service Now Incident # to the each row in the table. I've been bumbling around, testing and failing on this one. I've got it to a point where the table is only showing the open transactions, but it is being duplicated for every incident # for ServiceNow. Below is the Search I am using, I've probably did this all wrong integrationName="Opsgenie Edge Connector - Splunk", alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote" | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | table _time, alert.updatedAt, alert.message, alert.alias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time | where closed_txn=0 | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | fields Created, Branch, "Source Link" | sort by Created DESC | fields - _raw, _time | join s max=0 [ search (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias=x_86994_opsgenie_alert_alias | rename dv_number as Incident | table alertAlias, Incident | fields alertAlias, Incident ] | table Created, Branch, "Source Link", Incident Thanks for any help on this one, much appreciated. Tom