Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Nested search to identify null counts

pinalshah341
Loves-to-Learn
‎07-12-2021 07:15 PM

Below are my 2 log lines - 

1.Successfully received message RECEIVED, payload={\"reference_id\":\"ABCD\"...}

2. Successfully published COMPLETED,  payload=(referenceId=ABCD,...

For the given referenceId ABCD, I want to search if "COMPLETED" message was published or not. 

I am trying to do nested search but not getting the right result - 

index=xyz "Successfully *"  "COMPLETED"  | rex "referenceId=(?<referenceId>[^,]*).*" | join reference_id in [search index=xyz  "Successfully * message" AND ("RECEIVED") | rex "reference_id\\\\\":\\\\\"(?<reference_id>[^\\\\]*).*" | dedup reference_id | fields reference_id] | stats count by referenceId | where count < 1

I am expecting output like - 

ABCD 0

Labels (5)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-12-2021 07:45 PM

Hi @pinalshah341 

Can you try this, start using from rex command before that it was for testing. if the count is <= 1 that means you have no Completed status associated to referenceId.

 

 

 

| makeresults 
| eval _raw="Successfully received message RECEIVED, payload={\"reference_id\":\"ABCD\"...} | Successfully published COMPLETED,  payload=(referenceId=ABCD,..." 
| makemv delim="|" _raw 
| mvexpand _raw 
| rex field=_raw "payload\=\{\\\"reference_id\\\":\\\"(?<ReferenceID>\w+)" 
| rex field=_raw "payload\=\(referenceId\=(?<ReferenceID>[^\,]+)" 
| stats count by ReferenceID 
| where count <= 1

 

 

 

---

An upvote would be appreciated and Accept Solution if this reply helps!

0 Karma
Reply

pinalshah341
Loves-to-Learn
‎07-12-2021 08:04 PM

The problem with this approach is, if a "RECEIVED" message is published in last 1 min of the search range i.e. "COMPLETED" message is still in processing state, it will falsely show up in the table. To avoid that, I was going by the nested search approach. Let me know if this usecase can be fixed using the same query you suggested.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-12-2021 09:04 PM

@pinalshah341 When you change the condition to | where count > 1 would only provide events completed.

<=1 would be either in progress or not completed. subsearch with join vs combining results would achieve the same results.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-12-2021 07:46 PM

Your query would be something like this,

 

 

index=xyz "Successfully *"  "COMPLETED" 
| rex field=_raw "payload\=\{\\\"reference_id\\\":\\\"(?<ReferenceID>\w+)" 
| rex field=_raw "payload\=\(referenceId\=(?<ReferenceID>[^\,]+)" 
| stats count by ReferenceID 
| where count <= 1

 

 

---

An upvote would be appreciated and Accept Solution if this reply helps!

Tags (2)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...