https://community.splunk.com/t5/Splunk-Enterprise-Security/Search-Notables-for-Open-and-Closure-Times/m-p/559862#M10072 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236253">@splunkeradmin22</a>&nbsp;,</P><P>Have a look at the below macro:</P><LI-CODE lang="markup">|`incident_review`</LI-CODE> Fri, 16 Jul 2021 18:51:19 GMT efika 2021-07-16T18:51:19Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Search-Notables-for-Open-and-Closure-Times/m-p/558908#M10047 <P>Hi Everyone,</P><P>I am trying to write a query that will allow me to use my notable_events table, display the time the notable opened and the time it was closed.</P><P>Looking through the forums I found:</P><P>|eval _time=strftime(_time,"%Y/%m/%d %T")<BR />|eval review_time=strftime(review_time,"%Y/%m/%d %T")<BR />|eval assign_time = case(isnotnull(owner), _time) | eval close_time = case(status=5, review_time)<BR />|stats min(_time) as notable_time min(assign_time) as assign_time min(close_time) as close_time by AlertTitle,owner</P><P>&nbsp;But that isn't quite working as it returns 0 results.</P> Fri, 09 Jul 2021 20:25:05 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Search-Notables-for-Open-and-Closure-Times/m-p/558908#M10047 splunkeradmin22 2021-07-09T20:25:05Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Search-Notables-for-Open-and-Closure-Times/m-p/559862#M10072 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236253">@splunkeradmin22</a>&nbsp;,</P><P>Have a look at the below macro:</P><LI-CODE lang="markup">|`incident_review`</LI-CODE> Fri, 16 Jul 2021 18:51:19 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Search-Notables-for-Open-and-Closure-Times/m-p/559862#M10072 efika 2021-07-16T18:51:19Z