Greetings Splunk Community, I am looking to build a Dashboard Panel to show the count of incidents which have passed the SLA timeline as described below:
Older than 1 week
Older than 2 weeks
Older than 3 weeks
Older than 4 weeks
It would be nice if this can also reflect the owner name for these late incidents.
I tired something like this, but I am not sure if I am on the right track or not.
| `es_notable_events` | where status_group="New" OR status_group="Open" | stats sum(count) as count by status,urgency,owner | `get_reviewstatuses` | chart sum(count) as count over status_label by urgency | rename status_label as status | `sort_chart`
Your kind assistance is highly appreciated. Best Regards, Izzat.