Hello,

I want to create a search for the average time taken to close an incident in ES, after it closes from the time incident is opened.

Since my organization only works on weekdays, I would like to exclude time for any Saturday or Sunday from average time.

I found this link -https://answers.splunk.com/answers/684817/help-creating-a-table-that-shows-incident-review-m.html

But the search provided does not seem to be working.

I need the final output as - 3 days, 3 hours, 2 minutes

All help is greatly appriciated

I found the below search to give me the exact output -
| tstats summariesonly earliest(_time) as _time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | drop_dm_object_name("Notable_Events_Meta") | get_correlations | get_current_status | search status_label="Closed" | eval ttc=mvindex(review_time, 0) | eval ttc=ttc-_time | stats count avg(ttc) as avg_ttc,max(ttc) as max_ttc by rule_name | sort - avg_ttc | uptime2string(avg_ttc, avg_ttc) | uptime2string(max_ttc, max_ttc) | rename _ttc as (time_to_closure) | fields - *_dec

But I still am not sure how to exclude weekends from it.