#mission_control, # splunk cloud
Hi 
In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control. 
USE CASE: 
The enterprise security manger wants a DASHBOARD which will inform him about : 
if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident > averaged over a month.  

For ES team I have lookup file or also I can type there name(Only 7-8 people) > I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time & create_time , averaged out over month. 

Field we have :
| mcincidents   add_response_stats=true
| eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| table assigne, create_time, update_time, description, disposition, id, incident_type, name, sensitivity, source_type, summary