Thanks rjthibod for your assistance. When I was trying this
I have created the below search for calculating the Response Mean time:
| incident_review |chart values(_time) over rule_id by status_label |join rule_id [search notable | search NOT suppression owner!=unassigned| rename _time as triggerTime ]
| rename "Resolved" as resolvedTime, "Closed" as closedTime "In Progress" as inProgressTime, "Pending" as pendingTime
|eval ackTime = case(isnotnull(inProgressTime), inProgressTime, isnotnull(pendingTime), pendingTime, isnotnull(resolvedTime), resolvedTime, isnotnull(closedTime), closedTime, 1=1 , "Unassigned")
|eval diffResponse= ackTime - triggerTime
|eventstats avg(diffResponse) as ResponseMean
|eval responseTime=strftime(diffResponse, "%H:%M:%S" )
|eval alertTriggerTime=strftime(triggerTime, "%b %d %H:%M:%S" )
|eval alertAckTime=strftime(ackTime, "%b %d %H:%M:%S" )
|eval ResponseMeanTime=strftime(ResponseMean, "%H:%M:%S" )
|table rule_id,alertTriggerTime,alertAckTime,responseTime,ResponseMeanTime
I have tried to use your query (|eval responseTime= tostring(diffResponse, "duration")), but I am unable to get the average value of Response time.
Kindly assist on this.
... View more