Hi all,
I need to create a dashboard which can provide me the total review time taken by the analyst. I have created the following query:
| datamodel Incident_Management Notable_Events search | stats earliest(_time) as _time by rule_id | `drop_dm_object_name("Notable_Events")`| `get_correlations` | join rule_id [| datamodel Incident_Management Incident_Review search | stats earliest(_time) as reviewtime by Incident_Review.rule_id,Incident_Review.reviewer_realname| `drop_dm_object_name("Incident_Review")`] | eval tot=reviewtime-_time | stats count,avg(tot) as avg_tot,max(tot) as max_tot ,min(tot) as min_tot by reviewer_realname | sort - avg_tot | `uptime2string(avg_tot, avg_tot)` | `uptime2string(max_tot, max_tot)` | `uptime2string(min_tot, min_tot)` |rename *_tot* as *_time_to_review* | fields - *_dec
This is working fine and giving me results close to my expectations. However i don't need to include the off-business hours in the review time. For e.g., if i acknowledged and alert today and i closed it tomorrow, the total review time should not have the Off-business hour time (possibly 8-10 hours) and it should get subtracted.
Can anybody help me here on this issue ?
↧