https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247865#M47788 <P>I wrote this for average response time as well as the standard deviation for a chart of how fast events are being closed. Clearly you could modify the status_group portion to use a different field for detecting when an event is responded to.</P> <PRE><CODE>`notable` | search NOT `suppression` status_group=Closed info_search_time=* review_time=* | eval response=(review_time-info_search_time)/60/60/24 | bin _time span=2w | stats avg(response) as "Avg (Days)", stdev(response) as "Std Dev (Days)" by urgency, _time | eval "Avg (Days)"=round('Avg (Days)',1) | eval "Std Dev (Days)"=round('Std Dev (Days)',1) | rename urgency as "Notable Event Urgency" | search "Notable Event Urgency"=critical OR "Notable Event Urgency"=high OR "Notable Event Urgency"=medium | table "Notable Event Urgency" _time "Avg (Days)" "Std Dev (Days)" </CODE></PRE> Fri, 11 Mar 2016 14:03:17 GMT AndySplunks 2016-03-11T14:03:17Z https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247862#M47785 <P>Has anyone ever written any dashboards for analyst metrics around responding to notable events?</P> <P>I'm primarily looking at trying to write a search to determine time to respond to a new notable event as well as time to close as well as tracking notable events still open per day.</P> <P>The Incident Review audit is good for looking at what sorts of events are being opened, but is lacking on the response.</P> Tue, 26 Jan 2016 15:19:27 GMT https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247862#M47785 AndySplunks 2016-01-26T15:19:27Z https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247863#M47786 <P>What version of ES are you on?</P> Tue, 26 Jan 2016 16:59:10 GMT https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247863#M47786 rroberts 2016-01-26T16:59:10Z https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247864#M47787 <P>I'm on version 3.3.1.</P> Tue, 26 Jan 2016 18:08:31 GMT https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247864#M47787 AndySplunks 2016-01-26T18:08:31Z https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247865#M47788 <P>I wrote this for average response time as well as the standard deviation for a chart of how fast events are being closed. Clearly you could modify the status_group portion to use a different field for detecting when an event is responded to.</P> <PRE><CODE>`notable` | search NOT `suppression` status_group=Closed info_search_time=* review_time=* | eval response=(review_time-info_search_time)/60/60/24 | bin _time span=2w | stats avg(response) as "Avg (Days)", stdev(response) as "Std Dev (Days)" by urgency, _time | eval "Avg (Days)"=round('Avg (Days)',1) | eval "Std Dev (Days)"=round('Std Dev (Days)',1) | rename urgency as "Notable Event Urgency" | search "Notable Event Urgency"=critical OR "Notable Event Urgency"=high OR "Notable Event Urgency"=medium | table "Notable Event Urgency" _time "Avg (Days)" "Std Dev (Days)" </CODE></PRE> Fri, 11 Mar 2016 14:03:17 GMT https://community.splunk.com/t5/Getting-Data-In/Notable-Event-Metrics-SLA-Tracking-Dwell-Time-Time-To-Respond/m-p/247865#M47788 AndySplunks 2016-03-11T14:03:17Z