Splunk Enterprise Security

Create a search to find Average time taken to close an incident from the time it opens

vatsalyay
New Member

Hello,

I want to create a search for the average time taken to close an incident in ES, after it closes from the time incident is opened.

Since my organization only works on weekdays, I would like to exclude time for any Saturday or Sunday from average time.

I found this link -https://answers.splunk.com/answers/684817/help-creating-a-table-that-shows-incident-review-m.html

But the search provided does not seem to be working.

I need the final output as - 3 days, 3 hours, 2 minutes

All help is greatly appriciated

I found the below search to give me the exact output -
| tstats summariesonly earliest(_time) as _time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | drop_dm_object_name("Notable_Events_Meta") | get_correlations | get_current_status | search status_label="Closed" | eval ttc=mvindex(review_time, 0) | eval ttc=ttc-_time | stats count avg(ttc) as avg_ttc,max(ttc) as max_ttc by rule_name | sort - avg_ttc | uptime2string(avg_ttc, avg_ttc) | uptime2string(max_ttc, max_ttc) | rename _ttc as (time_to_closure) | fields - *_dec

But I still am not sure how to exclude weekends from it.

0 Karma

vatsalyay
New Member

@AndySplunks

0 Karma

vatsalyay
New Member

@FrankVl It is something what you have done for
https://answers.splunk.com/answers/751764/how-to-count-only-business-days.html?sort=oldest

But in my case I would need final output like - 3 days, 3 hours, 2 minutes, Can you please help?

0 Karma

vatsalyay
New Member

@martin_mueller

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...