This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Carry over the value of a field to another result row

Go to solution
Red
Observer

‎24 Jan 2025 09:01 AM

Hello community,

I have set up a bucket to retrieve events from the "Splunk OnCall" tool in order to create monitoring dashboards. No problem on this side, I receive my data.

I am preparing a dashboard with the listing of OnCall alerts. In order to provide maximum detail, I want to calculate the lifetime of an OnCall alert. And this is where I get stuck because I receive an event for each alert status. I am looking to use the "timestamp" field to be able to do this calculation, so I started with the idea of ​​having a field with the timestamp value for each state in order to do a basic calculation:

Red_0-1737709178176.png

 

However, I have a problem, I am looking to report the values ​​of these fields on each line of the result of an alert, otherwise, I cannot do the calculation:

Red_1-1737709198135.png

 

And the additional difficulty is that I must only display the last current state (in the previous screens, I show the 3 possible states to illustrate my problem but at the end, there is a dedup to keep only the last state).

I searched everywhere in the doc but I did not find a solution. Do you have any idea how we can go about it, if it is feasible?

Here is the DQL that I am currently using, it is not yet optimized:

fetch events
| filter source == "OnCall"
| filterOut in(routingKey, array("dynatrace_event", "mpb-dynatrace_event"))
| sort incidentNumber asc, timestamp desc
//| dedup incidentNumber
| fieldsAdd parse(event, "STRING:priority ' - 'LD")
| fieldsAdd parse(event, """(('P'LD' - 'LD:title)|LD:title)""")
| fieldsAdd priority = if(isNull(priority), "Px", else:priority)
| fieldsAdd routingKey = if(routingKey == "dynatrace_2", "Dynatrace", else:if(routingKey == "servicepilot_prod", "ServicePilot", else:if(routingKey == "control-m", "Control-M", else:if(routingKey == "dynatrace_mfe", "Dynatrace MFE", else:if(routingKey == "control-m_mfe", "Control-M MFE", else:if(routingKey == "dynatrace_amm", "Dynatrace AMM", else:if(routingKey == "control-m_z-os", "Control-M Z/OS", else:if(routingKey == "mpb-control-m", "Control-M MPB", else:if(routingKey == "mpb-dynatrace_problem", "Dynatrace MPB", else:if(routingKey == "dynatrace_f02", "Dynatrace F02", else:routingKey))))))))))

| fieldsAdd startAlert = if(alertType == "CRITICAL", timestamp, else:"")
| fieldsAdd ackAlert = if(alertType == "ACKNOWLEDGEMENT", timestamp, else:"")
| fieldsAdd endAlert = if(alertType == "RECOVERY", timestamp, else:"")

| fieldsRename `Priorité` = priority, `Dernier état` = alertType, `Titre` = title, `N° OnCall` = incidentNumber, `Propriétaire` = owner, `Source` = routingKey, `N° ticket EV` = ticket_EV
| fields timestamp, startAlert, ackAlert, endAlert, `N° OnCall`, `Dernier état`, `Priorité`, Titre, Source, `Propriétaire`, `N° ticket EV`

Thanks in advance,

Sincerely,

Red

Labels:
0 Kudos
Reply
2 REPLIES 2

Go to solution
Tiit_Hallas
Dynatrace Helper
Dynatrace Helper

‎28 Jan 2025 07:32 AM

Would it make sense to summarize the results? If I got your question right, then one of the solutions would be to use takeLast aggregation function for the times and just summarize based on them, e.g.

| summarize {
    start_time = takeLast(start), 
    ack_time = takeLast(ack), 
    end_time = takeLast(end),
    latest_status = takeLast(status)
  }, by: { id, title }

 

A solution with the demo data that resembles your use-case can be seen in a shared case on our Playground: https://wkf10640.apps.dynatrace.com/ui/apps/dynatrace.security.investigator/share/2a99bca9-eeb7-4671...

Is this something you had in mind?

I had a life once. Then I bought my first computer ...
Reply

Go to solution
Red
Observer
In response to Tiit_Hallas

‎28 Jan 2025 10:41 AM

Hello @Tiit_Hallas,

Thanks for your help. I'm not yet comfortable with DQL, I'm still discovering some things (like the "summarize" command). I adapted it slightly to add some necessary fields to my dashboard, and I get everything back as it should:

Red_1-1738059285684.png


So, after having validated on a particular alert (this makes the verification more readable), I deactivated the filter so that it applies to all the fields but there, I no longer have the fields filled in:

Red_2-1738059491309.png

 

I have the impression that it only takes the last parameter (in our case, the end_time). I tinkered a little and I saw that by changing the order of the "by" parameter and specifying to sort by the incidentNumber, it worked as well for a targeted element as for the entire dashboard:

Red_3-1738060630396.png

 

Thanks again for your help. Have a nice day,

Sincerely,

Red

0 Kudos
Reply
Ask a question

Featured Posts