Actually, I do not use transaction, but instead leverage the stats output. Meaning, I believe your focus should NOT just be finding the last CLOSED ticket event, but rather an approach of finding the complete Ticket Life Cycle, including tickets which are still OPEN--i.e., before deciding on your reporting output. It is kind of amazing once you see it. You can see this looking into the ServiceNow GUI for an incident ticket, but requires a lot of reading the many threads just to understand what happened for one ticket. Here you will see them all at once! Of course, you will want to go to SN to verify your results at some point using some sampling schedule.
Soooo, now deeper into my secret sauce (-: .... and, Please, anyone jump in to make this even better....
Before the 'stats trick', which I assumed you used "BY 'Ticket Number' or sys_id" to now have only one event per ticket, insert a concatenated string starting with _time:
| eval trackingSTR=_time."__".assignment_group_name."__".<any_other_fields _desired_for_timeline_tracking>
This will keep the timeline in order in the resulting tracking array field after stats. A double underscore is used as a unique value to allow for single underscores within field values that can interfere with later rex operations, when needed.
Now, you can use 'match' (which works with multivalue fields) with this new field to keep only tickets 'touched' by ServiceDesk at any time within the ticket life cycle....key words for this analysis that no prior reporting has ever done...Ticket Life Cycle. We need to stop thinking LAST assignment group, which is always the "state value" in the ServiceNow database and always reported in the past, resulting in an incomplete view of the process...love the Splunk App!!
If you add 'duration' (business or calendar) to the tracking string, you can also determine how long each assignment group has the ticket. You will be amazed at how many times these tickets are "passed around"...including "to" service desk from another assignment group who was the initial assignee...which it appears you are considering. And, when you see this time line array, I doubt you will want to only report on "Last Assignment Group".
Finally, with mvindex (0 & -1) you can easily find the first and last assignment groups. And, the others "involved" can be reported too. BTW, remember that FCR is calculated on First Assignment Group, not Last. BTW2, I use calendar time durations since the help desk is 24/7...and it is easier to calculate. ((-:
... View more