(index=somewhere sourcetype=something source=somethingelse) AND ((Action=Save AND CurrentState=Closed AND Comment="Processed by ChangeGear Mobile.") OR (Action=CommentaryDescription)) NOT CurrentState="In-Progress" NOT CurrentState="Unsubmitted" NOT CurrentState="New" NOT CurrentState="Waiting for Details" | eventstats count as duplicates by LastModifiedDateTime | where duplicates>1 | table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState | sort -LastModifiedDateTime I ended up looking at the issue in a different way. I realized that the LastModifiedDateTime entries for these were the exact same timestamps and appear to only occur during the specific conditions I was filtering for. So I ended up going with the changes as per above, where I would find the duplicate timestamps and filter only for those. ... View more

Ok, so we went back to the drawing board with this one and ended up changing how we search for the information. We have a task that collects the AD user data into a lookup table and am now able to show the SamAccountName, DistinguishedName, AccountExpires and has it set to show accounts that have reached over 10 days of the expires date : | inputlookup ad-user-lookup | eval expires=strptime(AccountExpires,"%m/%d/%Y %H:%M:%S %p") | eval is_interesting=if(expires<now()-60*60*24*10,1,0) | search is_interesting=1 NOT DistinguishedName="*,OU=Users - Disabled,DC=testdomain,DC=ca" NOT DistinguishedName="*,OU=Training*" NOT DistinguishedName="*OU=Users - On Leave,DC=testdomain,DC=ca" | table SamAccountName, DistinguishedName, AccountExpires, expires, is_interesting This will help us identify accounts that had an expire date set that are not in the On leave, Disabled or training OU's after 10 days. ... View more