Counting duplicates when filed equals value

alwinaugustin · ‎08-03-2021

I have the following scenario where duplicate accounts has been created for a transaction id value. I would like to count how many duplicates has been created and list it as a table. I compare the message with a string, which indicates the successful creation of the account. The current query is as follows:

index=myindex sourcetype=mysourcetype | spath message | search message="Account Created Successfully" |stats count by transactionId

I have the following format for logs

{ 
   level: info
   message: Account Created Successfully
   timestamp: 2021-08-02T05:58:44-04:00
   transactionId: 100200300
}

The above search query is not giving me the correct counts. I manually checked the logs for the transaction ID, but the `stats` count is wrong. How can I modify the query to get accurate counts ?

manjunathmeti · ‎08-03-2021

hi @alwinaugustin,

Is fields message and trasnsactionId are already extracted in your events? If not, you need to just use spath.

index=myindex sourcetype=mysourcetype "Account Created Successfully" | spath | stats count by transactionId

Counting duplicates when filed equals value

count

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Counting duplicates when filed equals value

count

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers