Given a list of ticket entries, I'd like to generate a list of unique ticket IDs that are not resolved, the most recent time they were updated, and the most recent time they were updated by something other than the "System" user.
Essentially what I'd like to do is combine the following two searches:
ticket_status!=resolved | eval latest(ticket_edit_date) by ticket_id
ticket_status!=resolved ticket_update!="System" | eval latest(ticket_edit_date) by ticket_id
Perhaps something along the lines of this invalid search:
ticket_status!=resolved ticket_update!="System" | eval latest(ticket_edit_date) as LastUpdate latest(ticket_edit_date) where ticket_update!="System" as LastHumanUpdate by ticket_id
... View more