https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471551#M132655 <P>Hi, you are absolutely right but I find it difficult to supply samples. The situation is that there is a chain of events, every event starts with the logger "start" when the event cannot be distrtibuted it ends in an exception. Every event contains a messageid en sometimes a businessid. The messageid is unique for every string of events, this can be 2 events of 100. In case of an error there will be retries with the same messageid. I need the count of the unique id's that have been started en the count of the id's that had an exception. Both dedupped.</P> <P>Message.ID LOGGER LOGGER</P> <PRE><CODE>1 “start” 2 “start” 3 “start” 3 "Exception" 3 "Exception" 4 "Start" 5 "Start" 5 "Exception" 6 "Start" 7 "Start" </CODE></PRE> Thu, 04 Jun 2020 15:01:42 GMT Mike6960 2020-06-04T15:01:42Z https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471548#M132652 <P>I am trying to make an overview with different counts. The message always starts with :</P> <P>logger="blahblah-main.Start*"</P> <P>Some will go in error and then they will apear with:</P> <P>logger="blahblah.Exception"<BR />The difficult thing is that I want the unique ID's, so some messages will have an retry in both loggers.I tried to use dedup but then I will miss messages when they are in both loggers. I hope someone can make sense of my question....</P> <P>search.... logger="blahblah-main.Start*" OR logger="blahblah.Exception" |dedup message.MessagId|dedup message.BusinessId |chart count by logger</P> Mon, 08 Jun 2020 17:24:37 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471548#M132652 Mike6960 2020-06-08T17:24:37Z https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471549#M132653 <P>Please share complete examples of error and non-error messages. Let us know where to find the MessageId and BusinessId fields.</P> Thu, 04 Jun 2020 13:02:11 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471549#M132653 richgalloway 2020-06-04T13:02:11Z https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471550#M132654 <P>@richgalloway is right - without <EM>real</EM> sample data, we're not going to be able to help you as well as we could otherwise</P> <P>We need you to supply sample data</P> <P>That said, here's a possible guess as to what you're trying to do:</P> <PRE><CODE>index=ndx sourcetype=srctp logger="blahblah-main.Start" OR logger="blahblah.Exception" | stats values(message.MessageId) as MessageId values(message.BusinessId) as BusinessId by logger </CODE></PRE> Thu, 04 Jun 2020 13:22:26 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471550#M132654 wmyersas 2020-06-04T13:22:26Z https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471551#M132655 <P>Hi, you are absolutely right but I find it difficult to supply samples. The situation is that there is a chain of events, every event starts with the logger "start" when the event cannot be distrtibuted it ends in an exception. Every event contains a messageid en sometimes a businessid. The messageid is unique for every string of events, this can be 2 events of 100. In case of an error there will be retries with the same messageid. I need the count of the unique id's that have been started en the count of the id's that had an exception. Both dedupped.</P> <P>Message.ID LOGGER LOGGER</P> <PRE><CODE>1 “start” 2 “start” 3 “start” 3 "Exception" 3 "Exception" 4 "Start" 5 "Start" 5 "Exception" 6 "Start" 7 "Start" </CODE></PRE> Thu, 04 Jun 2020 15:01:42 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-or-eval/m-p/471551#M132655 Mike6960 2020-06-04T15:01:42Z