Splunk Search

Counting duplicates when filed equals value


I have the following scenario where duplicate accounts has been created for a transaction id value. I would like to count how many duplicates has been created and list it as a table. I compare the message with a string, which indicates the successful creation of the account. The current query is as follows:


index=myindex sourcetype=mysourcetype | spath message | search message="Account Created Successfully" |stats count by transactionId


I have the following format for logs


   level: info
   message: Account Created Successfully
   timestamp: 2021-08-02T05:58:44-04:00
   transactionId: 100200300



The above search query is not giving me the correct counts. I manually checked the logs for the transaction ID, but the `stats` count is wrong. How can I modify the query to get accurate counts ?

Labels (2)
0 Karma


hi @alwinaugustin,

Is fields message and  trasnsactionId are already extracted in your events? If not, you need to just use spath.

index=myindex sourcetype=mysourcetype "Account Created Successfully" | spath | stats count by transactionId


0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!