Hello, 

Below is a sample SPL that you can use for incidents that are already closed.

|`mc_incidents` | search status_label="Closed" | spath input=sla path=sla_total_time output=sla_time | spath input=sla path=sla_units output=sla_units | eval sla_seconds =if (sla_units='h', 3600, if(sla_units='d', 86400, if(sla_units='m', 60, 60))) | eval sla_seconds=sla_seconds*sla_total_time  | eval time_taken=update_time - mc_create_time | eval sla_status= if(time_taken > sla_seconds, "not met", "met") | table display_id, sla_status, assignee, status_label

Let us know if you have any questions.
Mallikarjuna