We are running below ES|QL query on Kibana to make a table of list of alerts triggered from a external Monitoring tool.

FROM winlogbeat-* | WHERE event.code == "3003" | stats Alert_Time = VALUES(@timestamp), Severity = VALUES(Severity), Name = VALUES(AlertName), ActiveID = VALUES(AlertActiveID), Status = VALUES(AlertStatus),Device_Name = VALUES(Device_Name) by @timestamp 

When the new Alert generates, we get an event with “Status” field with value “ACTIVE” When the Alert resolves we get an event with “Status” field with value as “CLOSED”

But now We want to create a table which shows only the alerts which are still ACTIVE and not resolved. Here only the key value which we can use to correlate the Alert Status is “AlertActiveID” field which is a unique number assigned a new alert when its generates and also same number will be assigned to new event when the same alert resolves.

As per my understanding we need to use something like LATEST(AlertActiveID) in the query but its not working.

Can some one help us with this so that we can get to see the table of alerts which has list on only ACTIVE alerts (not resolved).