Hi dear community! I'm trying to build the dashboard using records in two states STATE1 and STATE2. I'm logging state changes so in logs I have these lines: RECORD_<record_id>_CHANGED_STATE_TO STATE1 RECORD_<record_id>_CHANGED_STATE_TO STATE2 To get all the records in STATE2 I use this and it works well:    index=... source=... "CHANGED_STATUS_TO STATE2" | eval action="STATE2" | timechart count by action span=200m     To get the records in STATE1 I need to grep all the records "CHANGE_STATUS_TO STATE1" but filter it removing all the records that are already in STATE2 I was trying to extract record_id and use subsearch like this but seems I'm doing something wrong:   index=... source=... NOT record_id+"CHANGED_STATUS_TO STATE2" [search index=... source=... | rex "(?<record_id>\d+)_CHANGED_STATUS_TO STATE1" | fields record_id] | eval action="STATE1" | timechart count by action span=200m     Could you please help me? ... View more