Related Answers
Download topic as PDF
Search with response template data in Splunk Mission Control
Write searches about response templates while investigating incidents in Splunk Mission Control. After you add a response template to an incident, it becomes a response plan. See the following tables to make sure that you're using the indexed fields correctly when using response template data in searches. For more information on response templates, see Create response templates to establish guidelines for incident response in Splunk Mission Control.
Response template fields
Use the following fields in response template searches to extract more information about the response template in general.
| Field name | Description | When to use |
|---|---|---|
| create_time | The time the template was created or applied to the incident. | To identify when response activity started for an incident in general. |
| creator | The user who created the response template. | To determine who created the response template. |
| description | The description of the response template. | To understand more information about the response plan. |
| end_time | The time when the response plan was completed. | To determine when the response plan was completed. |
| files | Whether there are files associated with the response plan. | To determine if there are files attached in this response plan. |
| id | Uniquely identifies the response template. | To find a specific response template. |
| name | Name of the response template. | To identify the name of the response template. |
| notes | Whether there are notes associated with the response plan. | To determine whether there are notes used in the response plan. |
| start_time | The time when the response plan was started. | To determine how long this response plan was in progress. |
| template_status | Whether the response template is published. | To determine if other users can use this response template. |
| update_time | The time when the template was updated. | To understand how active an incident investigation is. |
| updated_by | The user who last updated the response plan. | To determine who most recently worked on a response plan. |
| source_template_id | The original response template ID applied to this incident. | To understand what the source template was before the template was modified. |
Response plan phase fields
Use the following fields in response template searches to extract more information about response plan phases.
| Field name | Description | When to use |
|---|---|---|
| create_time | The time the phase was created. | To identify when phase activity began. |
| id | Uniquely identifies the response template phase. | To find a specific response template phase. |
| name | Name of the response template phase. | To identify the name of the response template phase. |
| order | The order of the phase. | To understand when to complete this phase. |
| update_time | The time the phase was updated. | To understand how active an incident investigation is. |
Response plan task fields
Use the following fields in response template searches to extract more information about response plan task phases.
| Field name | Description | When to use |
|---|---|---|
| create_time | The time the task was created. | To identify when task activity began. |
| description | The description of the response template task. | To understand more information about the task. |
| id | Uniquely identifies the response template task. | To find a specific response template task. |
| is_note_required | Whether the response plan requires a note when a task is completed. | To determine if a note is required when a task is completed. |
| name | Name of the response template task. | To identify the name of the response template task. |
| order | The order of the task. | To understand when to complete this task. |
| owner | Who the response plan task is assigned to. | To determine who should be working on a specific response task. |
| status | Status of the response plan, which can be Incomplete, In progress, or Complete. | To identify the status of a response plan. |
| tag | The original task ID from the response template. | To understand what the task ID was before the template was modified. |
| total_time_taken | The amount of time in seconds it took to complete a task. | To determine how long a task was being worked on. |
| update_time | The time the task was updated. | To understand how active an incident investigation is. |
Example searches for response template data in Splunk Mission Control
Use these example searches to report on response template usage in Splunk Mission Control.
Use the mcincidents custom search command when searching for phases or tasks. Use the `mc_incidents` macro when searching for incidents.
List of applied response plans by incident ID
To see which response plans were applied to an incident by incident ID, even if it was subsequently removed, use the following example search.
| mcincidents unwind_to=responseplan | stats values(name) by incident_id
Number of tasks by status and assignee
To see the number of tasks listed by their status and assignee, use the following example search.
|mcincidents unwind_to=task | stats count by owner status
Total time taken to complete a task
To see the total time it takes to complete a task, use the following example search. The total_time_taken>0 field is the number of seconds it takes to complete a task. The unwind_to field generates one row per task to provide a clearer reading experience at the task level.
|mcincidents unwind_to=task | eval task_id=id | search total_time_taken>0 | table incident_id, phase_id, task_id, name, total_time_taken
|
PREVIOUS Search with incident data in Splunk Mission Control |
NEXT Search with action and playbook data in Splunk Mission Control |
This documentation applies to the following versions of Splunk® Mission Control: Current
Feedback submitted, thanks!