Dashboards & Visualizations

Build a Dashboard Panel to show incidents which have passed the SLA timeline

Izzat
Observer

Greetings Splunk Community, 
I am looking to build a Dashboard Panel to show the count of incidents which have passed the SLA timeline as described below:

Urgency (Count)SLA Time
Critical Older than 1 week
High Older than 2 weeks
Medium Older than 3 weeks
LowOlder than 4 weeks


It would be nice if this can also reflect the owner name for these late incidents.

I tired something like this, but I am not sure if I am on the right track or not.

| `es_notable_events`
| where status_group="New" OR status_group="Open"
| stats sum(count) as count by status,urgency,owner | `get_reviewstatuses`
| chart sum(count) as count over status_label by urgency | rename status_label as status | `sort_chart`

Your kind assistance is highly appreciated.
Best Regards,
Izzat.

Labels (2)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!