Hi,

 index="osh" sourcetype="Service" CaseNumber=1111 status=* assignment_group=*
| dedup _time,CaseNumber,assignment_group 
| streamstats current=f last(assignment_group) as lg, last(active) as Active by CaseNumber 
| lookup Team.csv SO as sys_updated_by OUTPUT TeamName 
| eval is_escalated= if(assignment_group!=lg AND assignment_group="OSM L1",1,NULL) 
| eval is_resolved=if(assignment_group="OSM L1" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL) 
| stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by sys_updated_by,TeamName 
| fields - TeamName

when i run this query it is displaying like that(attached image).

For that case number(1111) 2 members worked.so this case resolved case so the output should be 1 for two members.

if it is escalated cases then in escalated cases i should should assign 1.

How to do this?