@inventsekar Rather than stats by count, i had to fix regular expression to take a escape character. It helped me fix. Thanks for responding and helping with great insights. ... View more

One extra '\' helped since it was looking for escape characters. Helped a lot! Thank you. ... View more

Thank you for sharing the docs. They helped a lot. ... View more

Worked like a charm. Thank you for quick help with query. ... View more

tried this one too, but some how i am getting all null rows under statistics tab and not able to display any corrl ids in table. ... View more

@inventsekar  1. When i run the above, the table which i am expecting under statistics is not returning any results or the list of IDs displayed. 2. The reason i was using search "*" was in real time, i will be getting the value from a text box and will be passed as '$CORRELATION_ID'. To do testing from the search i am replace it with * to list all corrl ids.   ... View more

index=test1 sourcetype=abc | rex field=_raw "\\\"correlationId\\\": \\\“(?[^\\\"]+)" | search "*" correlationId | stats count by correlationId   It is able to pull up the correlation ids now, but still not able to display in table. refered few links but could not find any luck. Any pointers?   ... View more

trackInfo is not extracted yet, what i was trying to do is to pass the "$correlation_ID$" that i get from input text box to "| search "$correlation_ID$" trackingInfo"[here it substitutes to either * for getting all the ids or specific correlation ID] like specified in my 2nd post. The json event look like below   { \"trackingInfo\": {\"correlationID\":\"101010\", \"components\": [{ { \"name\":\"test1\", \"executionTimeInMillis\":\"10\", \"receivedTimeStamp\":\"2022-08-12\", \"publishedTimeStamp\":\"2022-08-12\" }, { \"name\":\"test2\", \"executionTimeInMillis\":\"10\", \"receivedTimeStamp\":\"2022-08-12\", \"publishedTimeStamp\":\"2022-08-12\" } ] } }   in both app_log & temp_log sourcetype. All i have to do is join only based on correlationID between app_log & temp_log. find out the missing correlationID in temp_log,but present in app_log and display the correlationID in a table format. ... View more

Appreciate your quick response, Thank you!. Just wanted to put few more points based on my requirement, I spent lot of time but still could not follow correct steps. 1. I will get '*'  which is for all correlation id in last 24 hrs or any time frame set in splunk dashboard or a particular correlation id as input from the top level text box, 2. My query has to be more generic which should accept to query for all correlation ids(*) or a particular corrl id(123) and has to go for a search in two index source types and has to return the list of missing ids which are in a1 but not in a2. Though below is the query i am using based on suggestions, i am still not able to display in tabluar format with missing correlation ids, also i need to put the timestamp from a1. Below is the query and could you please suggest further.   index=qa_source sourcetype=app_log OR sourcetype=temp_log | search "*" trackingInfo | stats values(_time) as _time values(sourcetype) as sourcetype by trackInfo.correlationId | where mvcount(sourcetype)=1 AND sourcetype="app_log" | table trackInfo.correlationId Note: trackInfo.correlationId is a json format hence used that way. Appreciate your help and response here. Just checking back since a good amount of time is spent and now running out of time.             ... View more