|
| 1 | +--- |
| 2 | +applies_to: |
| 3 | + stack: ga |
| 4 | + serverless: ga |
| 5 | +products: |
| 6 | + - id: kibana |
| 7 | +--- |
| 8 | + |
| 9 | +# Visualize case data [visualize-case-data] |
| 10 | + |
| 11 | +Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case patterns and trends. |
| 12 | + |
| 13 | +## About case analytics indices |
| 14 | + |
| 15 | +Case analytics indices and their aliases are automatically generated when Kibana starts up. Every five minutes, the indices are updated with new data from cases in your space. Historical data about cases is not stored; it gets overwritten whenever new case data is written to the indices. |
| 16 | + |
| 17 | +You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to <new page>. |
| 18 | + |
| 19 | +| Index | Alias | Description | |
| 20 | +| ---------------------------- | ---------------------- |----------------------------------------- | |
| 21 | +| `.internal.cases` | `.cases` | Stores general data related to cases. | |
| 22 | +| `.internal.cases-comments` | `.cases-comments` | Stores data related to case comments. | |
| 23 | +| `.internal.cases-activity` | `.cases-activity` | Stores data related to case activity. | |
| 24 | +| `.internal.cases-attachments`| `.cases-attachments` | Stores data related to case attachments (only alerts and files added to the case). | |
| 25 | + |
| 26 | +## Explore case data [explore-case-analytics-indices] |
| 27 | + |
| 28 | +::::{admonition} Requirements |
| 29 | +To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices. |
| 30 | +:::: |
| 31 | + |
| 32 | +Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), then build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. |
| 33 | + |
| 34 | +* Find the total number of cases that are currently open: |
| 35 | + ```console |
| 36 | + FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "open" |
| 37 | + ``` |
| 38 | + |
| 39 | +* Find the total number of cases that are currently in progress: |
| 40 | + ```console |
| 41 | + FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress" |
| 42 | + ``` |
| 43 | + |
| 44 | +* Find the total number of cases that are closed: |
| 45 | + ```console |
| 46 | + FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "closed" |
| 47 | + ``` |
| 48 | + |
| 49 | +* Find cases that are open and sort them by time, with the most recent is at the top: |
| 50 | + ```console |
| 51 | + FROM .internal.cases | WHERE status == "open" | SORT created_at DESC |
| 52 | + ``` |
| 53 | + |
| 54 | +* Find the average time that it takes to close a case: |
| 55 | + ```console |
| 56 | + FROM .internal.cases | STATS average_time_to_close = AVG(time_to_resolve) |
| 57 | + ``` |
0 commit comments