cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Aziz94
New Member
Member since: ‎04-15-2022
‎04-19-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-15-2022
View All

Re: How to create a Dashboard that will show SLA f...

by in Splunk Enterprise Security
‎04-19-2022 10:08 AM
‎04-19-2022 10:08 AM
Thank you so much brother,  I check that but it's not giving me the things I need in details  I just need only two query    1. The time between status_label New to status_label In Progress  2. The time difference between status_label pending to status_label closed    And sla to show me if SLA breached or no   Highly appreciated any help as I tried with many splunk experts with no help     ... View more

How to create a Dashboard that will show SLA for a...

by in Splunk Enterprise Security
‎04-15-2022 11:33 AM
‎04-15-2022 11:33 AM
Hi Everyone, I am struggling a lot to create a Dashboard that will show SLA for alerts received on Incident review Dashboard Basically I need two things only 1. SLA from alert received until assigned ( from status New to status in progress) 2. SLA from alert pending to closure ( from status Pending to status Closed) I am facing many issues where empty fields into alert urgency and creation time I have spent a week to create below query   | tstats `summariesonly` earliest(_time) as incident_creation_time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | `drop_dm_object_name("Notable_Events_Meta")` | `get_correlations` | join type=outer rule_id [| from inputlookup:incident_review_lookup | eval _time=time | stats earliest(_time) as review_time by rule_id, owner, user, status, urgency] | rename user as reviewer | lookup update=true user_realnames_lookup user as "reviewer" OUTPUTNEW realname as "reviewer_realname" | eval reviewer_realname=if(isnull(reviewer_realname),reviewer,reviewer_realname), nullstatus=if(isnull(status),"true","false"), temp_status=if(isnull(status),-1,status) | lookup update=true reviewstatuses_lookup _key as temp_status OUTPUT status,label as status_label,description as status_description,default as status_default,end as status_end | eval incident_duration_minutes=round(((review_time-incident_creation_time)/60),0) | eval sla=case(urgency="critical" AND incident_duration_minutes>15, "breached", urgency="high" AND incident_duration_minutes>15, "breached", urgency="medium" AND incident_duration_minutes>45, "breached", urgency="low" AND incident_duration_minutes>70, "breached", isnull(review_time), "incident not assigned", 1=1, "not breached") | convert timeformat="%F %T" ctime(review_time) AS review_time, ctime(incident_creation_time) AS incident_creation_time | fields rule_id, source, urgency, reviewer_realname, incident_creation_time, review_time, incident_duration_minutes, sla, status_label | table rule_id, source, urgency, reviewer_realname, incident_creation_time, review_time, incident_duration_minutes, sla, status_label But still a lot of things are missing, could you please help in creating a small Dashboard with below requirements 1. SLA from alert received until assigned ( from status New to status in progress) 2. SLA from alert pending to closure ( from status Pending to status Closed) Many thanks in advance ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-19-2022 01:29 PM