I'd like to add a percentage into the following panel: I've added severity since I just want to see it for critical and high severity. now I'd like to define an sla value of , let's say 2 hours, and then want a percentage of each rules percentage of it's count breached. so in other words: in this statistic I want to have an additional field that tells me the percentage of how many of the counted events for those rules have a longer max time to triage than 2h. rule 1 count 20 (10 breached over 2h sla) -> a field that tells me 50% I can't seem to find a good way to get a percentage in. here is the whole SPL (from ES mostly): | tstats summariesonly=true allow_old_summaries=false earliest(_time) as _time FROM datamodel=Incident_Management BY source, "Notable_Events_Meta.rule_id"
| rename "Notable_Events_Meta.*" as "*"
| lookup update=true correlationsearches_lookup _key as source OUTPUTNEW annotations, security_domain, severity, rule_name, description as savedsearch_description, rule_title, rule_description, drilldown_name, drilldown_search, drilldown_earliest_offset, drilldown_latest_offset, default_status, default_owner, next_steps, investigation_profiles, extract_artifacts, recommended_actions
| eval rule_name=if(isnull(rule_name),source,rule_name),
rule_title=if(isnull(rule_title),rule_name,rule_title),
drilldown_earliest=case(isint(drilldown_earliest_offset),('_time' - drilldown_earliest_offset),(drilldown_earliest_offset == "$info_min_time$"),info_min_time,true(),null()),
drilldown_latest=case(isint(drilldown_latest_offset),('_time' + drilldown_latest_offset),(drilldown_latest_offset == "$info_max_time$"),info_max_time,true(),null()),
security_domain=if(isnull(security_domain),"threat",lower(security_domain)),
rule_description=case(isnotnull(rule_description),rule_description,isnotnull(savedsearch_description),savedsearch_description,true(),"unknown")
| eval governance_lookup_type="default"
| lookup update=true governance_lookup savedsearch as source, lookup_type as governance_lookup_type OUTPUT governance, control
| eval governance_lookup_type="tag"
| lookup update=true governance_lookup savedsearch as source, tag, lookup_type as governance_lookup_type OUTPUT governance as governance_tag, control as control_tag
| eval governance=mvappend(governance,NULL,governance_tag), control=mvappend(control,NULL,control_tag)
| fields - governance_lookup_type, governance_tag, control_tag
| join rule_id
[| inputlookup incident_review_lookup
| eval _time=time
| stats earliest(_time) as review_time by rule_id]
| eval ttt=(review_time - '_time')
| stats count,values(severity) as severity avg(ttt) as avg_ttt,min(ttt) as min_ttt,max(ttt) as max_ttt by rule_name
| search severity=high OR severity=critical
| `uptime2string(avg_ttt, avg_ttt)`
| `uptime2string(max_ttt, max_ttt)`
| `uptime2string(min_ttt, min_ttt)`
| sort severity -avg_ttt
| rename "*_ttt*" as "*(time_to_triage)*"
| fields - "*_dec"
... View more