Sorry, still not clear for me how the expected outcome should look like.

I dont want any of the events for a ptask where there is result of task_active=false

I can't just do a search for task_active=true because it just brings back events from when the ptasks that are now task_active=false from when they were previously true

I was thinking of a solution of having a marker before I did the stats latest
| eval OutOfScope=if(task_active="false",1,0)

then I'd need something to say if for number if one event is OutOfScope=1 then all events for that ptask number are OutOfScope=1

Please try:

(`servicenow` sourcetype="problem" latest=@mon) OR (`servicenow` sourcetype="problem_task" latest=@mon dv_u_review_type="On Hold")
| eval problem=if(sourcetype="problem",number,dv_problem)
| stats values(eval(if(sourcetype="problem_task",number,null()))) as number, latest(eval(if(sourcetype="problem_task",active,null()))) as task_active, latest(eval(if(sourcetype="problem_task", dv_u_review_type,null()))) as dv_u_review_type, latest(eval(if(sourcetype="problem_task",dv_due_date,null()))) as task_due, latest(eval(if(sourcetype="problem",dv_opened_at,null()))) as prb_opened, latest(eval(if(sourcetype="problem",dv_active,null()))) as prb_active by problem
| fields problem, number, task_active, dv_u_review_type, task_due, prb_opened, prb_active
| search problem!="" AND task_active!=false

I need to omit all events for a ptask that is now task_active=false, not just the latest event, this is why I need to do something before the stats latest.

If I do stats values instead of stats latest I want the green events but the red events are causing issues with my data as they were more recent. Not sure if you saw my previous post but I was hoping there would be a way to put an out of scope marker throughout all the unwanted events

Please share the raw events from the shared example.