×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
splunker_ak
Explorer
Member since: ‎11-04-2024
a month ago
Community Statistics
Posts 4
Solutions 0
Karma Given 5
Karma Received 1
Member Since ‎11-04-2024
Activity Feed
View All

Re: Syslog-NG Configuration: Log Rotation Best Pra...

by in Getting Data In
‎05-11-2026 02:22 AM
1 Karma
‎05-11-2026 02:22 AM
1 Karma
I have configured log rotation on my heavy forwarders in a way that matches the ingestion rate of each source. This setup helps balance performance with storage management. High ingesting sources → rotated every 1 hour Low ingesting sources → rotated at 4 hours, 8 hours, 1 day, or longer depending on the data volume Daily compression → after 24 hours, files are zipped Retention policy → zipped files are kept for 1 week Automatic cleanup → after 1 week, files are deleted to prevent storage fill‑up on the heavy forwarder ... View more

Re: Need help with Splunk query for MTTD and MTTT ...

by in Monitoring Splunk
‎04-13-2026 03:41 AM
‎04-13-2026 03:41 AM
Thanks Sir Gcusello, it worked  ... View more

Re: Need help with Splunk query for MTTD and MTTT ...

by in Monitoring Splunk
‎04-13-2026 01:18 AM
‎04-13-2026 01:18 AM
Dear Giuseppe, Yes, I went through the default SOC Operations dashboard and referred to the SPL from there. I tried modifying it to calculate MTTT and MTTR for each SOC analyst to track their activities, but unfortunately the closure time field is showing up empty in every search. -- Ashok Kumar   ... View more

Need help with Splunk query for MTTD and MTTT per ...

by in Monitoring Splunk
‎04-13-2026 12:52 AM
‎04-13-2026 12:52 AM
On our SOC operations dashboard we can already see the overall MTTD (Mean Time to Detect) and MTTT (Mean Time to Triage/Respond) metrics. What I need, however, is to break these down per SOC analyst — specifically, how much time each analyst takes from detection creation through to closure. At the moment, I can capture the detection creation time, but I’m not able to find the timestamps for: When the alert was assigned When it moved to in‑progress When it was closed Without those, I can’t calculate the analyst‑level metrics. Has anyone built a query that can pull these status change times, or can point me to the right fields/logs that track assignment, in‑progress, and closure events? Any guidance or sample queries would be greatly appreciated. Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
a month ago
Karma from
View All
Karma given to
View All