Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Search with response template data in Splunk Mission Control

Write searches about response templates while investigating incidents in Splunk Mission Control. After you add a response template to an incident, it becomes a response plan. See the following tables to make sure that you're using the indexed fields correctly when using response template data in searches. For more information on response templates, see Create response templates to establish guidelines for incident response in Splunk Mission Control.

Response template fields

Use the following fields in response template searches to extract more information about the response template in general.

Field name Description When to use
create_time The time the template was created or applied to the incident. To identify when response activity started for an incident in general.
creator The user who created the response template. To determine who created the response template.
description The description of the response template. To understand more information about the response plan.
end_time The time when the response plan was completed. To determine when the response plan was completed.
files Whether there are files associated with the response plan. To determine if there are files attached in this response plan.
id Uniquely identifies the response template. To find a specific response template.
name Name of the response template. To identify the name of the response template.
notes Whether there are notes associated with the response plan. To determine whether there are notes used in the response plan.
start_time The time when the response plan was started. To determine how long this response plan was in progress.
template_status Whether the response template is published. To determine if other users can use this response template.
update_time The time when the template was updated. To understand how active an incident investigation is.
updated_by The user who last updated the response plan. To determine who most recently worked on a response plan.
source_template_id The original response template ID applied to this incident. To understand what the source template was before the template was modified.

Response plan phase fields

Use the following fields in response template searches to extract more information about response plan phases.

Field name Description When to use
create_time The time the phase was created. To identify when phase activity began.
id Uniquely identifies the response template phase. To find a specific response template phase.
name Name of the response template phase. To identify the name of the response template phase.
order The order of the phase. To understand when to complete this phase.
update_time The time the phase was updated. To understand how active an incident investigation is.

Response plan task fields

Use the following fields in response template searches to extract more information about response plan task phases.

Field name Description When to use
create_time The time the task was created. To identify when task activity began.
description The description of the response template task. To understand more information about the task.
id Uniquely identifies the response template task. To find a specific response template task.
is_note_required Whether the response plan requires a note when a task is completed. To determine if a note is required when a task is completed.
name Name of the response template task. To identify the name of the response template task.
order The order of the task. To understand when to complete this task.
owner Who the response plan task is assigned to. To determine who should be working on a specific response task.
status Status of the response plan, which can be Incomplete, In progress, or Complete. To identify the status of a response plan.
tag The original task ID from the response template. To understand what the task ID was before the template was modified.
total_time_taken The amount of time in seconds it took to complete a task. To determine how long a task was being worked on.
update_time The time the task was updated. To understand how active an incident investigation is.

Example searches for response template data in Splunk Mission Control

Use these example searches to report on response template usage in Splunk Mission Control.

Use the mcincidents custom search command when searching for phases or tasks. Use the `mc_incidents` macro when searching for incidents.

List of applied response plans by incident ID

To see which response plans were applied to an incident by incident ID, even if it was subsequently removed, use the following example search.

| mcincidents unwind_to=responseplan | stats values(name) by incident_id

Number of tasks by status and assignee

To see the number of tasks listed by their status and assignee, use the following example search.

|mcincidents unwind_to=task | stats count by owner status

Total time taken to complete a task

To see the total time it takes to complete a task, use the following example search. The total_time_taken>0 field is the number of seconds it takes to complete a task. The unwind_to field generates one row per task to provide a clearer reading experience at the task level.

|mcincidents unwind_to=task | eval task_id=id | search total_time_taken>0 | table incident_id, phase_id, task_id, name, total_time_taken

Last modified on 25 January, 2024
Search with incident data in Splunk Mission Control   Search with action and playbook data in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters