My apologies for not reading the question carefully. eventstats is your friend. | eventstats values(Status) by Host
| where NOT "FIXED" IN ('values(Status)')
| fields - "values(Status)" Here...
See more...
My apologies for not reading the question carefully. eventstats is your friend. | eventstats values(Status) by Host
| where NOT "FIXED" IN ('values(Status)')
| fields - "values(Status)" Here, I am breaking out of my usual pattern to use a semantic filter. For economy, you can also use the side effect of Splunk's equality on multivalue: | eventstats values(Status) by Host
| where 'values(Status)' != "FIXED"
| fields - "values(Status)" Either way, you get Date Host Status 2024-07-22 host2 NEW 2024-07-23 host2 ACTIVE 2024-07-24 host2 ACTIVE 2024-07-25 host2 ACTIVE 2024-07-26 host2 ACTIVE 2024-07-27 host2 ACTIVE 2024-07-28 host2 ACTIVE 2024-07-29 host2 ACTIVE Here is an emulation you can play with and compare with real data | makeresults format=csv data="Date, Host, Status
2024-07-22, host1, NEW
2024-07-22, host2, NEW
2024-07-23, host1, ACTIVE
2024-07-23, host2, ACTIVE
2024-07-24, host1, ACTIVE
2024-07-24, host2, ACTIVE
2024-07-25, host1, FIXED
2024-07-25, host2, ACTIVE
2024-07-26, host2, ACTIVE
2024-07-27, host2, ACTIVE
2024-07-28, host2, ACTIVE
2024-07-29, host2, ACTIVE"
``` data emulation above ```