If I run the following search from 'incident_review' I can establish certain fields, but I need to try and calculate exactly when it was an incident was either assigned or closed. The idea is for a dashboard for KPI means. The search gives me the time, and the status_label, but how would I work out when the status_label came into play.
| `incident_review` | fields _time, owner, reviewer, rule_id, status_label, urgency
So to clarify, an incident came in at 09:00 and was assigned for investigation at 09:45. This could potentially breach an SLA / KPI of 30 minutes, but how would I establish what time it was assigned?
Appreciate any thoughts on this.
↧