Hi Splunkers! First time posting here, but I could really need some help. I've been meddling with Splunk for a while, and I got the gist of it. However, I've been having a bad time with this particular search condition. If you're familiar with Service Now, it creates event logs for every state change or update a ticket receives, so you have more than one log per INC (field name -> "number"). The following search allows me to see the latest "ticket" regardless of its dv_state. However, I want to "hide" the ones that are "Closed" or "Resolved". (Note: I've redacted some of the values as I consider them to be sensitive information). It's worth mentioning that the field "active" could be useful (values= "true" or "false"), but even if I put active="true", it will also show the dv_state in which this field was true (even though the latest state is "Closed"). splunk_server_group=oi source="[redacted]" sourcetype="snow:incident" number="*" short_description="[redacted]*" dv_state="*" AND dv_opened_by= "Oscar Pavon" OR "Helena Taribo" OR "Ronald Guevara" OR "Andres Penagos" OR "Matias Alcorta" OR "Agustin Gonzalez" OR "Abigail Soto" OR "Matias Alcorta" OR "Luis Huenuman"AND sys_created_by NOT "rsa.archer" NOT "Support" | table number severity opened_at sys_updated_on dv_state dv_opened_by short_description dv_assignment_group | sort -opened_at | dedup number | rename number as "INC Number", severity as "Severity", opened_at as "First Opened", sys_updated_on as "Latest Update", dv_opened_by as "Opened by", dv_assignment_group as "Assingment Group", dv_state as "Status", short_description as "Short Description" INC Number Severity First Opened Latest Update Status Opened By Short Description Assignment Group INC1075596 3 2021-02-11 19:34:48 2021-02-11 19:56:17 New Agustin Gonzalez [redacted] [redacted] NC1071433 3 2021-02-08 14:52:55 2021-02-08 16:36:53 Resolved Abigail Soto [redacted] [redacted] ... ... ... ... ... ... ... ...   Thanks!! ... View more