I want write a query to get only those Incidents which are currently opened with group ABC.
The result should NOT have : 114 As it was closed by ABC group.
The result should NOT have : 113 and 116 As they were eventually closed by some other group.
My result should be :
112 and 115
index=test sourcetype=test_st | search group="ABC" AND status="Open"
But this query gives my 113 and 116 also.
Shall I use inner query or lookup for this ?
Please suggest some query logic.
index=test sourcetype=test_st|stats values(Status) as Status,values(Group) as Group by Incident |eval isClosed=mvfind(Status,"Closed")|where isnull(isClosed)|fields - isClosed