Hello Community,
I'm currently having trouble with a dashboard panel I'm making. The dashboard panel is supposed to display the time to triage per analyst but for every notable. The results are supposed to be derived from notables with the status_label "Ready for Review" OR "Closed: False Positive" OR "Pending" OR "Closed: Valid - Remediated". The field TriageTime doesn't populate anything, I suspect the problem to be within the join.
Search is below:
`notable`
| where owner="User1" OR owner="User2" OR owner="User3" OR owner="User4" OR owner="User5" OR owner="User6"
| where status_label="Ready for Review" OR status_label="Closed: False Positive" OR status_label="Pending" OR status_label="Closed: Valid - Remediated"
| rename status_label as status
| rename rule_id as "Notable ID"
| rename rule_name as Notable
| rename owner as Analyst
| join type=left rule_id [ search notable | eval review_time=if(status_label="Ready for Review",_time,null())
| eval inprogresstime=if(status_label="In Progress",_time,null())
| eval TriageTime=reviewtime-inprogresstime
| eval TriageTime=tostring(TriageTime,"duration")
| convert timeformat="%H:%M:%S" ctime(TriageTime)
| stats min(review_time) as reviewtime min(inprogress_time) as inprogresstime values(rule_name) as rule_name values(owner) as real_name by rule_id]
| table TriageTime, Notable, Analyst
