×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
splunker_ak
Explorer
Member since: ‎11-04-2024
Online
Community Statistics
Posts 4
Solutions 0
Karma Given 5
Karma Received 1
Member Since ‎11-04-2024
Activity Feed
View All

Re: Syslog-NG Configuration: Log Rotation Best Pra...

by in Getting Data In
21 hours ago
1 Karma
21 hours ago
1 Karma
I have configured log rotation on my heavy forwarders in a way that matches the ingestion rate of each source. This setup helps balance performance with storage management. High ingesting sources → rotated every 1 hour Low ingesting sources → rotated at 4 hours, 8 hours, 1 day, or longer depending on the data volume Daily compression → after 24 hours, files are zipped Retention policy → zipped files are kept for 1 week Automatic cleanup → after 1 week, files are deleted to prevent storage fill‑up on the heavy forwarder ... View more

Re: Need help with Splunk query for MTTD and MTTT ...

by in Monitoring Splunk
a month ago
a month ago
Thanks Sir Gcusello, it worked  ... View more

Re: Need help with Splunk query for MTTD and MTTT ...

by in Monitoring Splunk
a month ago
a month ago
Dear Giuseppe, Yes, I went through the default SOC Operations dashboard and referred to the SPL from there. I tried modifying it to calculate MTTT and MTTR for each SOC analyst to track their activities, but unfortunately the closure time field is showing up empty in every search. -- Ashok Kumar   ... View more

Need help with Splunk query for MTTD and MTTT per ...

by in Monitoring Splunk
a month ago
a month ago
On our SOC operations dashboard we can already see the overall MTTD (Mean Time to Detect) and MTTT (Mean Time to Triage/Respond) metrics. What I need, however, is to break these down per SOC analyst — specifically, how much time each analyst takes from detection creation through to closure. At the moment, I can capture the detection creation time, but I’m not able to find the timestamps for: When the alert was assigned When it moved to in‑progress When it was closed Without those, I can’t calculate the analyst‑level metrics. Has anyone built a query that can pull these status change times, or can point me to the right fields/logs that track assignment, in‑progress, and closure events? Any guidance or sample queries would be greatly appreciated. Thanks ... View more
Labels
Contact Me
Online Status
Online
Date Last Visited
21 hours ago
Karma from
View All
Karma given to
View All