@dtburrows3  We are so close. Actually I did not mention about the error. The logs looks like this: ----error in checking status-------- ----Person Name: abcd, Status=active--------- -----Check for Status------ ------success : true-------- -----Start  Processing XXX---------- So I want to get the Person name for only  "error in checking status" ... View more

I also see for some file received the file name is: PD0018MM-220385-20230609211505.20230609211740-success.csv  How to modify so that the filename is extracted as PD0018MM-220385-20230609211505 | rex field=fullfilename "(?<filename>\S+)(?<event>\.pdf|\-success\.csv)$" Also how display "Pending" if no corresponding file_received for the file_sent? ... View more

Thanks, but my question is not to filter out. I am able to match the holiday, but not able to suppress alert on holidays. Format of holidays.csv Date. description 12/25/2018 Christmas ... View more

Yes!! No doubt you are an Expert! Thank you! ... View more

Experts - Any thoughts? The event is sometimes 20000 or more and appears in the search. But field values does not shows up (if it is above the 10000) or truncates ( when in the 10000 borderline). Is this limitation of splunk? ... View more

Splunk Enterprise 6.5.2 ... View more

It is not the truncation of event, the field/keyword is present in the event but not searchable. Is there a limitation to search for a keyword if it is located beyond 10000? I consistently see that in my search results that if I search for a field which is located beyond 10000 it is not able to locate it, whereas if the same filed is located before 10000 then it is able to locate. I am sure that there is limitation because when I search for the keyword/field the value is returned truncated. Whereas when i copy the whole event into an editor and search the keyword/field it is present. I see this truncation/no results if the keyword/field values are located beyond 10000. ... View more

@woodcock Thanks.I am able to get around the _time to limit the events. I will incorporate your suggestions. But the main issue is getting to the assignment_groups . Your query of counting the assignment group will not work out as assignment groups change dynamically. I have made some progress and almost there: index=snow | eval dv_opened_at=strptime(dv_opened_at, "%Y-%m-%d %H:%M:%S") | sort 0 - _time | eval trackingStr=_time."__".assignment_group_name | fields _time trackingStr | stats values(trackingStr) as trackingStr by number | sort 0 -number | eval track1= if(match(trackingStr,"Service Desk"1,0) | where trackstr = 1 | eval last = mvindex(trackingSTR, -1) |eval final = if(match(last,"Service Desk),1,0) | where final = 1 The above shows the last assignment to Service Desk . I need your expert advice if the search query can be fine tuned. I will still need to validate if my numbers match with SN. @rmarcum - Is your query similar to this to calculate the opened incidents? ... View more

After struggling for almost two weeks, I concede that I lack the skill in getting the results. Following is the query I have come up but it is not providing me the results for opened incidents for assignment_group_name - device desk . Index=snow | deduplication dv_sys_id | eval dv_opened_at=strptime(dv_opened_at, "%Y-%m-%d %H:%M:%S") | sort 0 - _time | eval trackingStr=_time."__".assignment_group_name | fields _time trackingStr | stats values(trackingStr) as trackingStr values(number) as number | eval track1= mvfilter(match(trackingStr,"Service Desk")) | table track1 I am not able to figure out how I can find the incidents handled by service desk. ... View more

Thanks for you detailed reply. I have a basic question. index=x assignment_group_name="ServiceDesk" | ...| stas ... Will this above query to restrict only servicedesk eliminate other assignments groups?. I am trying to restrict the results so that I can work with smaller dataset. For example, if a ticket is assigned to some x group and then assigned to ServiceDesk will the above query catch it. Alternatively, if the ticket is assigned to ServiceDesk and then reassigned to some other group will it also be in the results? I want to be sure if my base query for the search is alright before proceeding on your excellent logic/approach. ... View more

With your help I am able to restrict the results for a given month, I am still struggling to find a solution for the assignment_group_name. If I am search for tickets for ServiceDesk how can I accomplish. I am using transaction to group the incident by sys_id and get the last assigned group using mvlist. .... Assignment_group_name="ServiceDesk" | transaction sys_id mvlist=assignment_group_name | eval last_assign = mvindex(assignment_group_name, 0) ..... This does not take in to account a scenario where service desk is assigned intially but reassigned to some other group. Is there a way to iterate through and eliminate the results and take only results which ends with the "ServiceDesk"? ... View more

@rmarcum It seems you have logic nailed down. Will you be able to share your query for Opened Incidents you have with you? ... View more

While I am still validating the numbers, when i execute the query it brings up records of previous months, even though i specifically choose (for example from 01/04/2017 to 30/04/2017) it lists events from March 2017 probably because opened_at is in March 2017. Is there a way to eliminate those? When I execute the query for Year to date the number for April changes. So it is not consistently counting the monthly figures for incidents opened in a month. Also an incident can be opened at previous month and assigned in current month. For example, 2016/03/28 17:06:55.000 AM 2016-03-28 07:55:41 ServiceDesk INC4752169 Open 2016/04/28 7:07:55.000 PM 2016-04-28 07:55:41 IT CC INC4752169 Assigned This should not be counted against Service Desk when i run the April period. I think the scenarios explained by @rmarcum below (1 and 2) is not handled in the query. I tried the below query, which has lot of performance hits plus does not correctly handle the 1 and 2 of @rmarcum which I am looking for. Please help! index=.... | transaction dv_number mvlist=assignment_group_name maxspan=30d keepevicted=true |eval last_state_change = mvindex(assignment_group_name, -1) | eval dv_opened_at = strptime(dv_opened_at,"%Y-%m-%d %H:%M:%S") |eval _time=coalesce(dv_opened_at, _time) |sort 0 - _time |table _time dv_number assignment_group_name |rename last_state_change as assignment_group_name | search assignment_group_name="ServiceDesk" |stats values(*) as * _time | table _time dv_number assignment_group_name |timechart span=1mon dc(dv_number) AS inc BY assignment_group_name limit=20 useother=f ... View more

It is not coming up with the correct counts if Iexecute your query: The following should NOT be counted against ServiceDesk. But the query is including it. 2016/04/28 7:06:55.000 AM 2016-04-28 07:55:41 ServiceDesk INC4752169 Open 2016/04/28 7:07:55.000 PM 2016-04-28 07:55:41 IT CC INC4752169 Open The following should be counted against Service Desk but the query is not including it. 2016/04/28 7:06:55.000 AM 2016-04-28 07:55:41 ITCC INC4752179 Open 2016/04/28 7:06:55.000 AM 2016-04-28 07:55:41 ServiceDesk INC4752179 Open ... View more

Any thoughts. ... View more

It did work but the numbers are not tallying. I posted an earlier comment but it did not appear. I have posted again. ... View more

I replied to your message. But it did not appear yet. Again I am typing it. I am getting some numbers but it is not tallying and I know the reason why it is but could not translate it to SPL. The following should NOT be counted against ServiceDesk. But the query is including it. 2016/04/28 7:06:55.000 AM 2016-04-28 07:55:41 ServiceDesk INC4752169 Open 2016/04/28 7:07:55.000 PM 2016-04-28 07:55:41 IT CC INC4752169 Open The following should be counted against Service Desk but the query is not including it. 2016/04/28 7:06:55.000 AM 2016-04-28 07:55:41 ITCC INC4752179 Open 2016/04/28 7:06:55.000 AM 2016-04-28 07:55:41 ServiceDesk INC4752179 Open I tried with the query: index=.... assignment_group_name="ServiceDesk" | eval _time=strptime(opened_at,"%Y-%m-%d %H:%M:%S") |sort 0 - _time |timechart span=1mon dc(dv_number) as inc by assignment_group_name | stats latest(assignment_grup_name) dc(dv_number) <= does not work ... View more

@Marcum Thank you for your inputs, I haven't got to that stage yet! ... View more

@woodcock I modified the query and now seeing some numbers. The numbers are not tallying and I know the reason why, but could not translate it to SPL. During a month if the ticket is opened and assigned to IT ServiceDesk and subsequently reassigned to some other assignment_group say IT DBA, then the query should not count it against IT ServiceDesk. But since the below query looks for only dv_state="Open" it is off. Is there a way to count only if the assignment_group_name=IT ServiceDesk and dv_state="Open" and it is the last occurring in the assignment. In otherwords it should be counted if it is assigned to other group. The stats last(assignment_group_name) does not work. The following should not counted for IT ServiceDesk _time opened_at assignment_group_name dv_number dv_status closed_at 2016/04/28 7:05:55.000 AM 2016-04-28 07:55:41 IT ServiceDesk INC4752169 Open 2016/04/28 7:06:55.000 PM 2016-04-28 07:55:41 IT CC INC4752169 Open Following should be counted _time opened_at assignment_group_name dv_number dv_status closed_at 2016/04/28 7:05:55.000 AM 2016-04-28 07:55:41 IT CC INC4752169 Open 2016/04/28 7:06:55.000 PM 2016-04-28 07:55:41 IT ServiceDesk INC4752169 Open .... assignment_group_name="IT ServiceDesk" dv_state="Open" | eval _time = strptime(opened_at,"%Y-%m-%d %H:%M:%S") | sort 0 - _time | | timechart span=1mon dc(dv_number) AS inc BY assignment_group_name |stats last(assignment_group_name) <= does not work. ... View more