Hi @usarios,

let me inderstand there could be eventId with only one message or the same eventId could have different messages in different events?

if the second you could run something like this:

index="idx" ("Transaction failed" OR "Duplicate key" OR "Event processed successfully")
| eval message=case(searchmatch("Transaction failed"),"Transaction failed", searchmatch("Duplicate key"),"Duplicate key",searchmatch("Event processed successfully","Event processed successfully")
| stats dc(message) AS message_count values(message) AS message BY eventId
| where message_count=1 AND message="Transaction failed"
| table eventId

Ciao.

Giuseppe