If you're using Enterprise Security, here is a search for SLA for closing a notable event:
`notable`
| search NOT `suppression` info_search_time=*
(urgency=low OR urgency=medium OR urgency=high OR urgency=critical)
| eval review_time=coalesce(review_time, now())
| eval response_time=(review_time-info_search_time)/60/60
| eval metric_count=case(status_group==”Open”,”0”,(urgency=="critical" AND response_time<8),"1",(urgency=="high" AND response_time<24),"1",
(urgency=="medium" AND response_time<48),"1",(urgency=="low" AND response_time<96),"1",1=1,"0")
| stats count sum(metric_count) as metric_met by urgency
| eval "SLA Compliance Percent" =round((metric_met*100/count),2)
| rename count as "Total Events", urgency as Urgency
| fields Urgency, "Total Events", "SLA Compliance Percent"
... View more