Hi, I have ticketing system values in my siem, where different support people working on the ticket. I am trying to create a table where I need to show a table of tickets with the last status only per ticket, for example, if 3 engineers worked on a ticket then this table should show the last updated time and status only. my problem is that the following query is grouping tickets correctly but showing all status values per ticket and also changed the _time format to the integer values | table_time status service user eventid tickets
| stats values(status) values(service) values(user) values(eventid) by tickets
| convert ctime(_time) sort _time can you please advise, Regards
... View more