Hi guys,

Tickets can have states:

em7_state = Open
em7_state = In Progress
em7_state = Closed

Tickets are stored in the following format:

date,time,em7_state,em7_description,em7_ticket_id
date,time,em7_state,em7_description,em7_ticket_id
date,time,em7_state,em7_description,em7_ticket_id
date,time,em7_state,em7_description,em7_ticket_id
date,time,em7_state,em7_description,em7_ticket_id

So it might happen, that a ticket gets created with status open:

2018-07-01,00:00:01,Open,em7_description,em7_ticket_id

Then it gets updated (to In Progress) at

2018-09-03,20:00:01,In
Progress,em7_description,em7_ticket_id

And it is not closed until today.

How do I search for tickets that are currently open ?

If i do a simple search like:

index=xxxx (em7_state = "Open" OR
em7_state = "In Progress") | dedup em7_ticket_id

Then my search would be bound to the timeframe selected — let's say last 24hrs; thus, tickets created earlier won't show up (because there was no change in em7_state logged).

Thanks for your input