As you can see from my question before, I thoug I only needed the last event from the same Identification - and if this was the case, the dedup would work fine - but it turns out I need all the events for that ID that comes after the DELETED message.
To get the info, I'm running the following search:
index=xpto (source= inserted OR source=deleted) data.Date="2021-08-25T00:00:00" data.Identification=11894
| sort 0 -data.Timestamp
| fillnull value="INSERTED" data.Action
| table id data.Action data.Identification
My goal and help needed is to get all the events that come after the DELETED, in this case, the first 3 events of the search(as this is sorted by Timestamp). Of course it's not always the first 3 as this may vary.