cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Aziz94
New Member
Member since: ‎04-15-2022
‎04-19-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-15-2022
View All

Re: How to create a Dashboard that will show SLA f...

by in Splunk Enterprise Security
‎04-21-2022 08:55 PM
‎04-21-2022 08:55 PM
@Aziz94  Mean Time to Triage is supposed to measure the difference between status New and the first update, irrespective of status. (There may be a defect in the product's use of earliest() instead of min() when comparing values in the multi-valued time field. In my test environment, the triage metric has the same value as the resolution metric when all notables are closed.) Mean Time to Resolution measures the difference between status New and status Closed. Based on the searches behind those metrics, we can combine data from the Incident Management data model, the incident_review_lookup lookup, and the reviewstatuses_lookup lookup to calculate new metrics. For reference, the status values include: New (-1, 1, or null) Unassigned (0) In Progress (2) Pending (3) Resolved (4) Closed (5) You should read and understand "Restrict notable event status transitions" <https://docs.splunk.com/Documentation/ES/latest/Admin/Customizenotables#Restrict_notable_event_status_transitions> before proceeding. Your Status Configuration options, including which transitions are allowed and by whom, may invalidate the examples below. To measure the time difference between status New and status In Progress: | tstats summariesonly=true earliest(_time) as _time from datamodel=Incident_Management by "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | eval status=2 | lookup update=true incident_updates_lookup rule_id status outputnew time | search time=* | stats earliest(_time) as create_time max(time) as in_progress_time by rule_id | eval diff=in_progress_time-create_time | stats avg(diff) as mean_assignment_time | fieldformat mean_assignment_time=tostring(mean_assignment_time, "duration") To measure the time difference between status Pending and status Closed: | tstats summariesonly=true earliest(_time) as _time from datamodel=Incident_Management by "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | eval status_pending=3, status_closed=5 | lookup update=true incident_updates_lookup rule_id status as status_pending output time as pending_time | lookup update=true incident_updates_lookup rule_id status as status_closed output time as closed_time | search pending_time=* closed_time=* | stats max(pending_time) as pending_time max(closed_time) as closed_time by rule_id | eval diff=closed_time-pending_time | stats avg(diff) as mean_closure_time | fieldformat mean_closure_time=tostring(mean_closure_time, "duration") You now have two metrics, mean_assignment_time and mean_closure_time. To measure service levels, start with the values from your service level agreements, nonfunctional requirements, etc. For example: 90% of notable events must be assigned within 10 minutes 85% of notable events must be closed within 24 hours Calculate the assignment service level: | tstats summariesonly=true earliest(_time) as _time from datamodel=Incident_Management by "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | eval status=2 | lookup update=true incident_updates_lookup rule_id status outputnew time | search time=* | stats earliest(_time) as create_time max(time) as in_progress_time by rule_id | eval diff=in_progress_time-create_time ``` 10 minutes = 600 seconds ``` | stats sum(eval(if(diff<=600, 1, 0))) as assignment_service_level_met count | eval assignment_service_level=round(100*assignment_service_level_met/count, 0)."%" Calculate the closure service level: | tstats summariesonly=true earliest(_time) as _time from datamodel=Incident_Management by "Notable_Events_Meta.rule_id" | rename "Notable_Events_Meta.*" as "*" | eval status_pending=3, status_closed=5 | lookup update=true incident_updates_lookup rule_id status as status_pending outputnew time as pending_time | lookup update=true incident_updates_lookup rule_id status as status_closed outputnew time as closed_time | search pending_time=* closed_time=* | stats max(pending_time) as pending_time max(closed_time) as closed_time by rule_id | eval diff=closed_time-pending_time ``` 24 hours = 86400 seconds ``` | stats sum(eval(if(diff<=86400, 1, 0))) as closure_service_level_met count | eval closure_service_level=round(100*closure_service_level_met/count, 0)."%" You can use the searches in a dashboard, add where or search commands to compare the service levels to your agreements, etc. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-19-2022 01:29 PM