I am creating a support ticket for my project. When a ticket is raised, it has 4 levels of severity(how long to solve the issue).
Sev 1 will have a 4 hour period, sev 2 = 8 hours, sev 3 = 72 hours and sev 4 = 120 hours.
I am referencing from this post: https://answers.splunk.com/answers/69820/search-to-only-include-business-hours-and-exclude-weekends.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
but where do i input the "date_wday!="saturday" AND date_wday!="sunday" | eval myHour=strftime(_time, "%H") | where ( myHour <= 18 AND myHour > 5 )" into my codes? This is my code for the project:
index="test" sourcetype="incident_all_v3"
| eval check = strptime(strftime(_time , "%d/%m/%Y") , "%d/%m/%Y")
| eventstats max(check) as checktime
| where checktime = check
| dedup 1 ticket_id sortby -_time
| join ticket_id type=left
[ search index="test" sourcetype="incident_assigned_ams"
| eval check = strptime(strftime(_time , "%d/%m/%Y") , "%d/%m/%Y")
| eventstats max(check) as checktime
| where checktime = check
| eval move_datetime = strptime(move_datetime, "%Y-%m-%d %H:%M:%S")
| dedup 1 ticket_id sortby -move_datetime
| eval move_datetime = strftime(move_datetime, "%Y-%m-%d %H:%M:%S")
| fields ticket_id move_datetime]
| eval realtime = if(isnotnull(move_datetime), move_datetime, create_time)
| eval create_time_epoch = strptime(realtime, "%Y-%m-%d %H:%M:%S")
| lookup inc_app_name.csv queue_name output vendor, app_name
| search vendor = "Company" AND ticket_type = "Incident" AND app_name = "*"
| eval diff_seconds = now() - create_time_epoch
| eval diff_days = diff_seconds / 86400
| eval status = if (ticket_state="Closed" OR ticket_state="Completed" OR ticket_state="For Verification" OR ticket_state="Verified", "resolved" , "unresolved")
| where status = "unresolved" AND ticket_type = "Incident"
| eval SEVERITY = case ( SLA == "SLA Level 1", "1", SLA == "SLA Level 2", "2", SLA == "SLA Level 3", "3", SLA == "SLA Level 4", "4")
| eval SEVERITY = "Sev ".SEVERITY
| lookup sev_target.csv SEVERITY output TARGET
| eval SLA_DEADLINE = case(SEVERITY = "Sev 4", create_time_epoch + (TARGET*3600), SEVERITY = "Sev 3", create_time_epoch + (TARGET*3600), SEVERITY = "Sev 2", create_time_epoch + (TARGET*3600), SEVERITY = "Sev 1", create_time_epoch + (TARGET*3600))
| where SLA_DEADLINE <= relative_time(strptime(strftime(now(),"%d/%m/%Y"),"%d/%m/%Y") , "+4d") AND SLA_DEADLINE >= strptime(strftime(now(),"%d/%m/%Y"), "%d/%m/%Y")
| append
[| stats count
| fields - count
| eval SLA_DEADLINE=strptime(strftime(now(),"%d/%m/%Y"),"%d/%m/%Y") ]
| append
[| stats count
| fields - count
| eval SLA_DEADLINE=relative_time(strptime(strftime(now(),"%d/%m/%Y"),"%d/%m/%Y") , "+1d") ]
| append
[| stats count
| fields - count
| eval SLA_DEADLINE=relative_time(strptime(strftime(now(),"%d/%m/%Y"),"%d/%m/%Y") , "+2d") ]
| append
[| stats count
| fields - count
| eval SLA_DEADLINE=relative_time(strptime(strftime(now(),"%d/%m/%Y"),"%d/%m/%Y") , "+3d") ]
| eval SLA_DEADLINE = strftime(SLA_DEADLINE,"%d/%m/%Y")
| stats count, avg(diff_days) as avg by SLA_DEADLINE
| eval count=count-1
| eval average = round(avg,2)." Days"
| eventstats sum(count) as total
| eval perc = round(count*100/total,2)."%"
| eval perc = count." (".perc.")"
| table SLA_DEADLINE, average, perc
| sort -perc
| sort SLA_DEADLINE
| rename SLA_DEADLINE as "Incident SLA Deadline", average as "Avg Duration", perc as "Count (Percentage)"
Right now, it is 24 hours, 7 days a week. How do i make it to 5 days a week and business hours(8am to 8pm)?
If a ticket is raised on friday 10am with SLA 3, it should be solved by Wednesday 10am.
... View more