I'm writing a search to determine what percentage of events are error events for a camera-based system.
To narrow logged events down to camera events, I have event=camera* in the initial search.
What I want to do next is treat the event as bad if it's in a subset, so I want something like:
event=camera* | eval bad_event=IF(event IN (camera-failed, camera-error, ...))
but I am not sure of the correct syntax for this in Splunk.
I tried eval bad_event=IF(event=camera-failed OR event=camera-error) , but got the message Error in 'eval' command: The arguments to the 'if' function are invalid.
How do I check if the event is in a subset of its possible values?
... View more