Thank you thambisetty. Here is the slightly modified version that worked for my use case:   index=myindex sourcetype=mysourcetype | table event,ref,foo | eval type=case(event=="string1","search1",event=="string2" AND foo=="bar","search2") | eventstats dc(type) as dc_type by ref | search dc_type=1 AND type=search1   This returns only events that match the following criteria: 1. They have 'string1' as their event 2. They do not have a corresponding 'event=string2 AND foo=bar' event, with 'corresponding' in this case being determined by the ref field via  'as dc_type by ref'. ... View more

That's right. Just checking I had a correct understanding of how it worked. ... View more

No results found ... View more

Thanks Thambisetty, I think this is close. "eventstats is to find matches of those two types in events based on ref" Running your query I get all six expected events returned. Field 'dc_type' is 1. Would I be correct in assuming that, once I have events of "event=string2 and foo=bar" that also have a ref value that matches an event with 'event=string1', I would see 'dc_type = 2' for that event? ... View more

Thanks renjith_nair, I edited the search to use dc but still no joy. When I say "there are no 'event=string2'" events, I mean that the second search - 'event=string2 AND foo=bar' - should not match any events, as there are none in the index that match this query. What I am trying to do is find Splunk events that have "event=string1", *and that do not have* a corresponding separate event with 'event=string2 and foo=bar'. The 'corresponding' part comes through matching the value of the 'ref' field. If there is a Splunk event with 'event=string1' and there is also a corresponding separate 'event=string2 and foo=bar' - corresponding as evidenced by both Splunk events having the same value in their 'ref' field - then we don't want to show that data in our results. Think of it like looking for TCP 'syn' packets that don't have a corresponding 'ack' packet: we don't want to show tcp flows where we have SYN/ACK, just ones where we have SYN and no corresponding ACK. I have six events that match 'event=string1' and zero events matching 'event=string2 AND foo=bar', so I would expect all six to be included in the count, but I'm seeing zero events even after changing from value to dc. ... View more

'event' is a field, as is ref, edate, adate. Running your suggested query without the 'where eventCount > 2' line, I have all six events of 'event=string1' returned. Note there are no 'event=string2' events in the data set (as we're trying to match NOT EXIST on that event type). Running it with the 'where eventCount > 2' line gives me zero results. I need to return the set of events that match 'event=string1' *and also*, where the ref for those matched events is not found in any another event matching 'event=string2 and foo=bar'. ... View more

Thanks Thambisetty. This gives me a count of each event ref where the event does not have 'string2' in event and  'bar' in foo, but isn't quite what I'm after. I need to return the set of events that match 'event=string1' *and also*, where the ref for those matched events is not found in any another event matching 'event=string2 and foo=bar'. ... View more

Events have this format: { "ref" : "abcdefg001", "somekey" : "somevalue", "otherkey" : "othervalue", "event" : "string1", "edate" : "20100101114512345", "adate" : "20100101123000", "foo" : "bar" } ... View more