Hey Somesoni2!
Been a bit since I needed your lifeline. 🙂
I actually got it working after submitting the question and had to wait until today to add. Here's what I did that appears to work well:
"index=snow (NOT "https://generalatomicsdev.service-now.com/") (sourcetype=snow:incident (assignment_group_name="Applications (COTS)" OR assignment_group_name="Account Administration" OR assignment_group_name="SystemsInfra Operations") dv_state!=Resolved) OR (sourcetype=snow:sc_task (dv_assignment_group="Applications (COTS)" OR dv_assignment_group="Account Administration" OR dv_assignment_group="SystemsInfra Operations") dv_state!=Closed*) | rename number AS "Ticket Id", dv_assigned_to AS "Ticket Holder", dv_opened_at AS "Ticket Created", sys_updated_on AS "Last Updated" | where strptime('Ticket Created', "%m/%d/%Y %H:%M:%S %p")
... View more