I would place posed problems  and solved problems into separate sets, then use eventstats to mash them up for comparison.  Like this: index="production" "Problem #" earliest=-3h latest=-1h | rex field=message ".*Problem #(?<problem_id>.*):.*" | stats count by problem_id | append [search index="production" "Solved problem_id successful: " earliest=-3h | rex field=message ".*Solved problem_id successful: (?<solved_id>.*)" | stats values(solved_id) as solved] | eventstats values(solved) as solved | where isnotnull(problem_id) AND problem_id != solved   ... View more