I have a support ticket system where people can submit their support tickets. The system is running 24 hours but the workers only work **from 8am to 8pm**,**Monday to Friday**. I have a create_time field which is when the ticket is created. So if a ticket is created on Monday 9pm, the create_time should be Monday 8am. If the ticket is created on Saturday, it should start on Monday instead.
Secondly, I have a SLA where Level 1 is 4 hours, level 2 is 8 hours. SLA refers to how long the support ticket must take to be solved. So if a support ticket of Level 1(4 hours) is raised on Monday, 7pm, the workers can only take 1 hour because they leave work at 8pm, and Tuesday 8am continue working on it, which means that the deadline should be Tuesday 11am. How do i do that?
This is my current script which is already able to skip weekends
index="test" sourcetype="incident_all_v3"
| eval check = strptime(strftime(_time , "%d/%m/%Y") , "%d/%m/%Y")
| eventstats max(check) as checktime
| where checktime = check
| dedup 1 ticket_id sortby -_time
| join ticket_id type=left
[ search index="test" sourcetype="incident_assigned"
| eval check = strptime(strftime(_time , "%d/%m/%Y") , "%d/%m/%Y")
| eventstats max(check) as checktime
| where checktime = check
| eval move_datetime = strptime(move_datetime, "%Y-%m-%d %H:%M:%S")
| dedup 1 ticket_id sortby -move_datetime
| eval move_datetime = strftime(move_datetime, "%Y-%m-%d %H:%M:%S")
| fields ticket_id move_datetime]
| eval realtime = if(isnotnull(move_datetime), move_datetime, create_time)
| eval create_time_epoch = strptime(realtime, "%Y-%m-%d %H:%M:%S")
| lookup app_name.csv queue_name output vendor, app_name
| search vendor = "Company" AND ticket_type = "Incident" AND app_name = "*"
| eval diff_seconds = now() - create_time_epoch
| eval diff_days = diff_seconds / 86400
| eval status = if (ticket_state="Closed" OR ticket_state="Completed" OR ticket_state="For Verification" OR ticket_state="Verified", "resolved" , "unresolved")
| where status = "unresolved" AND ticket_type = "Incident"
| eval SEVERITY = case ( SLA == "SLA Level 1", "1", SLA == "SLA Level 2", "2", SLA == "SLA Level 3", "3", SLA == "SLA Level 4", "4")
| eval SEVERITY = "Sev ".SEVERITY
| lookup sev_target.csv SEVERITY output TARGET
| eval SLA_DEADLINE = case(SEVERITY = "Sev 4", create_time_epoch + (TARGET*3600), SEVERITY = "Sev 3", create_time_epoch + (TARGET*3600), SEVERITY = "Sev 2", create_time_epoch + (TARGET*3600), SEVERITY = "Sev 1", create_time_epoch + (TARGET*3600))
| eval day_of_week= strftime(create_time_epoch, "%A")
| eval sum= case( (day_of_week=="Tuesday" OR day_of_week== "Sunday"), 86400, 1=1, 172800)
| eval SLA_DEADLINE = if(SEVERITY = "Sev 4", SLA_DEADLINE + sum , SLA_DEADLINE)
| eval SLA_DEADLINE = if(SEVERITY = "Sev 3", SLA_DEADLINE + sum , SLA_DEADLINE)
| eval SLA_DEADLINE = if(SEVERITY = "Sev 2", SLA_DEADLINE + sum , SLA_DEADLINE)
| eval SLA_DEADLINE = if(SEVERITY = "Sev 1", SLA_DEADLINE + sum , SLA_DEADLINE)
| eval SLA_DEADLINE = strftime(SLA_DEADLINE,"%Y-%m-%d %H:%M:%S")
| table *
↧