Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Nested search to identify null counts

pinalshah341
Loves-to-Learn
‎07-12-2021 07:15 PM

Below are my 2 log lines - 

1.Successfully received message RECEIVED, payload={\"reference_id\":\"ABCD\"...}

2. Successfully published COMPLETED,  payload=(referenceId=ABCD,...

For the given referenceId ABCD, I want to search if "COMPLETED" message was published or not. 

I am trying to do nested search but not getting the right result - 

index=xyz "Successfully *"  "COMPLETED"  | rex "referenceId=(?<referenceId>[^,]*).*" | join reference_id in [search index=xyz  "Successfully * message" AND ("RECEIVED") | rex "reference_id\\\\\":\\\\\"(?<reference_id>[^\\\\]*).*" | dedup reference_id | fields reference_id] | stats count by referenceId | where count < 1

I am expecting output like - 

ABCD 0

Labels (5)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-12-2021 07:45 PM

Hi @pinalshah341 

Can you try this, start using from rex command before that it was for testing. if the count is <= 1 that means you have no Completed status associated to referenceId.

 

 

 

| makeresults 
| eval _raw="Successfully received message RECEIVED, payload={\"reference_id\":\"ABCD\"...} | Successfully published COMPLETED,  payload=(referenceId=ABCD,..." 
| makemv delim="|" _raw 
| mvexpand _raw 
| rex field=_raw "payload\=\{\\\"reference_id\\\":\\\"(?<ReferenceID>\w+)" 
| rex field=_raw "payload\=\(referenceId\=(?<ReferenceID>[^\,]+)" 
| stats count by ReferenceID 
| where count <= 1

 

 

 

---

An upvote would be appreciated and Accept Solution if this reply helps!

0 Karma
Reply

pinalshah341
Loves-to-Learn
‎07-12-2021 08:04 PM

The problem with this approach is, if a "RECEIVED" message is published in last 1 min of the search range i.e. "COMPLETED" message is still in processing state, it will falsely show up in the table. To avoid that, I was going by the nested search approach. Let me know if this usecase can be fixed using the same query you suggested.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-12-2021 09:04 PM

@pinalshah341 When you change the condition to | where count > 1 would only provide events completed.

<=1 would be either in progress or not completed. subsearch with join vs combining results would achieve the same results.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-12-2021 07:46 PM

Your query would be something like this,

 

 

index=xyz "Successfully *"  "COMPLETED" 
| rex field=_raw "payload\=\{\\\"reference_id\\\":\\\"(?<ReferenceID>\w+)" 
| rex field=_raw "payload\=\(referenceId\=(?<ReferenceID>[^\,]+)" 
| stats count by ReferenceID 
| where count <= 1

 

 

---

An upvote would be appreciated and Accept Solution if this reply helps!

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...