Hi @richgalloway, @ITWhisperer  I have similar doubt but little tedious: 


Use case:In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control. 
USE CASE: 
The enterprise security manger wants a DASHBOARD which will inform him about : 
if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident (for now I'm only focusing on this)> averaged over a month. 

jeff is ES resource  & stephen is SOC resource 
i want to pick end_time where resource is Stephen and notes is "Escalation to ES" and start_time where resource is jeff and subtract them in order to get claim_time_by_ES. 

SO far the query I'm using but not successful yet is: 

| mcincidents unwind_to=task 
| search incident_id="3e864839-xyzab"
| eval is_es_team=if(IN(owner, "Jeff","Rama", "Mel"), 1, 0) 
| eval is_soc_team=if(IN(owner, "Stephen", "Crossman", "Ruby","Cole"), 1,0)
| eval end_time_for_soc=if(is_soc_team==1 AND name=="Escalation to ES", end_time, null()) 
| eval start_time_for_ES=if(is_es_team==1, start_time, null()) 
| eval total_time_claimed=end_time_for_soc - start_time_for_ES

in the below snapshot of log the columns name are in sequence of:  owner > start_time > end_time > total_time_taken> notes