Yes ofcourse Here is my example data. On the left is the alert when it first comes in and on the right is after it has been reviewed and closed.

I tried initially to just dedup but that was before I knew it had mulitple events it was pulling in. Since then I have tried the following: 

1. I tried doing an mvindex on the status events but it was still pullin in all of the events.

2. I then tried doing the lastest(status) but realized that was only going to pull in what the actualy lastest status of the ID was and would still include all of the events. 

3. I also tried doing a sub search per some guidance from a colleague that ended up looking lik the following: 

| dedup id

| where  [ search index=source | stats latest(status) as latest_status by id | where latest_status="closed" | return $id ]

4. Lastly, I tried going at the metadata which looked like the following: 

| dedup id | fields id | format | rex mode=sed field=search "s/ / OR /g" | eval search="NOT (id IN (" + search + "))" | fields search | format "" "" "" "" "" "" "search"

and turned into this

[ | search index="source" NOT (status="Open" OR status="Escalated") | stats count by id | fields id | format "" "" "" "" "," "OR" "id!=" | rex mode=sed field=search "s/^(.*)$/NOT (id IN (\1))/"

Dedup is rarely the way to go.

OK. So you have some json events (for future reference - It's better to copy-paste _raw_ event, not the rendered form from the Splunk UI into a code block or a preformatted-styled paragraph.

I assume all your events for a single alert share the id field, right? I'm not sure however what is the relation between those two evens since one seems to contain subset of the data contained in the other one. It looks a bit wasteful if you're not just logging changes in your alert's state but repeat the growing "history" with each subsequent event.

What are you trying to get from those event then?

I don't need those really. I only need the ones that have not been updated so the status is still Open or Esclated as I am trying to get a number for volume on what is still outstanding. So yes you are correct, these events are associted with the same ID but there are different IDs. What I want is to exclude all of the IDs where the status has been updated and closed (I don't want them to show the open or escalated event). 

Ok. So these actually were different ids? Because of your anonymization they looked as if they were to be the same id.

So you have only one event per each id? And you want to exclude those that have action=closed or some other values?

As far as I can see your jsons should parse so that you get a multivalued field some.path{}.log.action, am I right?

If so, you can use normal field=value conditions. Just remember that with multivalued fields key!="myvalue" matches an event where there is at least one value in the field key not equal to myvalue whereas NOT key="myvalue" requires that none of the values in the field key match myvalue (or the field is empty).