https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559191#M158875 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/141631">@pinalshah341</a>&nbsp;</P><P>Can you try this, start using from rex command before that it was for testing. if the count is &lt;= 1 that means you have no Completed status associated to referenceId.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="Successfully received message RECEIVED, payload={\"reference_id\":\"ABCD\"...} | Successfully published COMPLETED, payload=(referenceId=ABCD,..." | makemv delim="|" _raw | mvexpand _raw | rex field=_raw "payload\=\{\\\"reference_id\\\":\\\"(?&lt;ReferenceID&gt;\w+)" | rex field=_raw "payload\=\(referenceId\=(?&lt;ReferenceID&gt;[^\,]+)" | stats count by ReferenceID | where count &lt;= 1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>---</P><P>An upvote would be appreciated and Accept Solution if this reply helps!</P> Tue, 13 Jul 2021 03:05:18 GMT venkatasri 2021-07-13T03:05:18Z https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559189#M158873 <P>Below are my 2 log lines -&nbsp;</P><P>1.Successfully received message RECEIVED, payload={\"reference_id\":\"ABCD\"...}</P><P>2. Successfully published COMPLETED,&nbsp; payload=(referenceId=ABCD,...</P><P>For the given referenceId ABCD, I want to search if "COMPLETED" message was published or not.&nbsp;</P><P>I am trying to do nested search but not getting the right result -&nbsp;</P><P>index=xyz "Successfully *"&nbsp; "COMPLETED"&nbsp; | rex "referenceId=(?&lt;referenceId&gt;[^,]*).*" | join reference_id in [search index=xyz&nbsp; "Successfully * message" AND ("RECEIVED") | rex "reference_id\\\\\":\\\\\"(?&lt;reference_id&gt;[^\\\\]*).*" | dedup reference_id | fields reference_id] | stats count by referenceId | where count &lt; 1</P><P>I am expecting output like -&nbsp;</P><P>ABCD 0</P> Tue, 13 Jul 2021 02:15:43 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559189#M158873 pinalshah341 2021-07-13T02:15:43Z https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559191#M158875 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/141631">@pinalshah341</a>&nbsp;</P><P>Can you try this, start using from rex command before that it was for testing. if the count is &lt;= 1 that means you have no Completed status associated to referenceId.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="Successfully received message RECEIVED, payload={\"reference_id\":\"ABCD\"...} | Successfully published COMPLETED, payload=(referenceId=ABCD,..." | makemv delim="|" _raw | mvexpand _raw | rex field=_raw "payload\=\{\\\"reference_id\\\":\\\"(?&lt;ReferenceID&gt;\w+)" | rex field=_raw "payload\=\(referenceId\=(?&lt;ReferenceID&gt;[^\,]+)" | stats count by ReferenceID | where count &lt;= 1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>---</P><P>An upvote would be appreciated and Accept Solution if this reply helps!</P> Tue, 13 Jul 2021 03:05:18 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559191#M158875 venkatasri 2021-07-13T03:05:18Z https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559192#M158876 <P>Your query would be something like this,</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=xyz "Successfully *" "COMPLETED" | rex field=_raw "payload\=\{\\\"reference_id\\\":\\\"(?&lt;ReferenceID&gt;\w+)" | rex field=_raw "payload\=\(referenceId\=(?&lt;ReferenceID&gt;[^\,]+)" | stats count by ReferenceID | where count &lt;= 1</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>---</P><P><SPAN>An upvote would be appreciated and Accept Solution if this reply helps!</SPAN></P> Tue, 13 Jul 2021 03:04:23 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559192#M158876 venkatasri 2021-07-13T03:04:23Z https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559195#M158877 <P>The problem with this approach is, if a "RECEIVED" message is published in last 1 min of the search range i.e. "COMPLETED" message is still in processing state, it will falsely show up in the table. To avoid that, I was going by the nested search approach. Let me know if this usecase can be fixed using the same query you suggested.</P> Tue, 13 Jul 2021 03:04:56 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559195#M158877 pinalshah341 2021-07-13T03:04:56Z https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559202#M158878 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/141631">@pinalshah341</a>&nbsp;When you change the condition to | where count &gt; 1 would only provide events completed.</P><P>&lt;=1 would be either in progress or not completed. subsearch with join vs combining results would achieve the same results.</P> Tue, 13 Jul 2021 04:04:08 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search-to-identify-null-counts/m-p/559202#M158878 venkatasri 2021-07-13T04:04:08Z