Hello all, first time post. It's been a great adventure but boy there is alot to learn. I will try and be clear as possible.

I have a dashboard I am making that pulls data from Splunk regarding support tickets (specifically ticket #'s and supposedly current status).  I am finding that in any date range there can be multiple Splunk entries for the same ticket. It's like Splunk is picking up an event every time there is an update to said ticket.

So if I say pull any tickets for a particular queue name with the status of Assigned, there may already be a newer event that has come in that is status of Closed. How can I filter my data to pull incidents by queue and be sure I am getting the most recent possible status?

Here's a code example. I cut out some the eval statements to make it easier to read.

((index="wss_desktop_os") (sourcetype="db_itsm" OR sourcetype="wss_itsm_remedy")) earliest=-24h
| search (queuename AND TOTAL_TRANSFERS >= "4" NOT STATUS_TXT="Closed")
| dedup INCIDENT_#
| table ASSIGNED_GROUP, INCIDENT_#,STATUS_TXT, ASSIGNEE, Age-Days, TOTAL_TRANSFERS

It makes an output like this:

John F