Creating custom incident graphs
You can create custom graphs to display incident trends over time.
You create a custom graph by adding a custom widget. You add fields, and add filters to focus on the areas of greatest interest to your organization. For best results, create test graphs and variations to become familiar with the graphing capabilities. For example, create a graph that shows the average time for incidents to close per month, by incident severity, and by geographical location.
- Incidents over time.
- Average time to close by type.
- Average time to close by severity.
- Average time to close by location.
- Average time to close by workspace.
The following examples show each of these graphs and the fields that are used to create them.
- Incidents over time
- The example graphs incidents over time. It shows the open incidents by type and over time
periods (weeks). You can create variations of this example.The fields that are used to create it are shown in the following graphic.
You can apply a maximum of four fields to any graph or chart. The fields control the data that is displayed in the graph. When you create the graph from the custom widget, you select the fields from the list of fields in the Fields section. Then, you determine the order of the fields. For example, you might want to see Incident Type by Date Created. Drag the fields to the appropriate area before or after By. For some fields, you can click the edit icon to configure the field values. For example, for Date Created you can change time units to days, or hours.
- Average time to close by type
- This example graphs the average time that it takes for incidents to close, by incident type. You
can create variations, such as the time it takes for incidents to close by type per month, or per workspace.
This sample is a Bar graph, and the fields that are used to create it are shown in the following graphic.
- Average time to close by severity
- This example graphs the average time for incidents to close by severity. You can create
variations, such as average time to close by severity, per workspace.
This sample is a Column graph, and the fields that are used to create it are shown in the following graphic.
- Average time to close by location
- This example graphs the average time to close for incidents based on location. You can create
variations, such as average time to close by location, per month.
This sample type is a Table graph, and the fields that are used to create it are shown in the following graphic.
- Average time to close by workspace
-
This example graphs the average time to close incidents per workspace.
This sample is a Column graph and the fields that are used to create it are shown in the following graphic.
Creating graphs over time
When you create a custom graph, all incident fields are available for selection, including your custom fields. You can choose from multiple graph formats and you can configure the graph to display trends over time.
About this task
Before you begin creating a custom graph, it is useful to design your graph in advance and define the time range. Then, identify the filters and fields you need to narrow down the data that is displayed. Typically, creating a graph requires some trial and error and fine-tuning. For example, selecting a small time unit, such as minutes, over a longer period results in too many data points. By changing the time units to a larger unit, such as days, the data that is displayed is more useful. When you select the fields for your graphs, you can add a maximum of two fields for field selection area.
The following steps show an example of how to create an incident over time graph.
Procedure
Creating graphs using Time Tracker
You can use Time Tracker to track the duration incident fields spend on each value.
About this task
You use Time Tracker to determine how much time an incident spends in each value (or collection of values) of a chosen field. For example, you can track how long incidents remain in each phase of the incident before it moves to the next phase. To use Time Tracker, the field must be previously configured by the playbook designer to track time changes.
For simple graphs, you can use Time Tracker by itself without relating it to another field. For more complex graphs, specify one or more fields in the Fields and Time Tracker in the By field. In either case, you need to configure Time Tracker, which includes specifying a field to track time and the mathematical computations, such as sum and average.
When Time Tracker is in the Fields area, its values display on the x axis. In the By area, its values are on the y axis.
For a video and tutorial on how to track time changes to incident field values, see https://www.securitylearningacademy.com/course/view.php?id=4841.