Yes ofcourse Here is my example data. On the left is the alert when it first comes in and on the right is after it has been reviewed and closed. Alert Received Alert Closed alert_type: search query asset: { [+] } asset_term: null content_created_at: 2017-01-10T11:00:00+00:00 escalated: false id: XXXXXX112 last_modified: 2025-01-09T16:33:37Z logs: [ [-] { [-] action: open detail: id: subject: timestamp: 2025-01-09T16:33:37+00:00 } { [-] action: modify tags detail: id: subject: timestamp: 2025-01-09T16:33:37+00:00 } ] metadata: { [+] } network: domains severity: 4 status: Open timestamp: 2025-01-09T16:33:37+00:00 timestamp_modify_tags: 2025-01-09T16:33:37+00:00 alert_type: search query asset: { [+] } asset_term: null content_created_at: 2017-01-10T11:00:00+00:00 escalated: false id: XXXXXX112 last_modified: 2025-01-09T17:10:52Z logs: [ [-] { [-] action: close detail: id: subject: timestamp: 2025-01-09T17:10:52+00:00 } { [-] action: modify notes detail: id: subject: timestamp: 2025-01-09T17:10:48+00:00 } { [-] action: assign detail: id: timestamp: 2025-01-09T17:09:25+00:00 } { [-] action: open actor: detail: id: subject: timestamp: 2025-01-09T16:33:37+00:00 } { [+] } ] metadata: { [+] } network: domain severity: 4 status: Closed timestamp: 2025-01-09T16:33:37+00:00 timestamp_modify_notes: 2025-01-09T17:10:48+00:00 timestamp_modify_tags: 2025-01-09T16:33:37+00:00 I tried initially to just dedup but that was before I knew it had mulitple events it was pulling in. Since then I have tried the following: 1. I tried doing an mvindex on the status events but it was still pullin in all of the events. 2. I then tried doing the lastest(status) but realized that was only going to pull in what the actualy lastest status of the ID was and would still include all of the events. 3. I also tried doing a sub search per some guidance from a colleague that ended up looking lik the following: | dedup id | where [ search index=source | stats latest(status) as latest_status by id | where latest_status="closed" | return $id ] 4. Lastly, I tried going at the metadata which looked like the following: | dedup id | fields id | format | rex mode=sed field=search "s/ / OR /g" | eval search="NOT (id IN (" + search + "))" | fields search | format "" "" "" "" "" "" "search" and turned into this [ | search index="source" NOT (status="Open" OR status="Escalated") | stats count by id | fields id | format "" "" "" "" "," "OR" "id!=" | rex mode=sed field=search "s/^(.*)$/NOT (id IN (\1))/"
... View more