I'm writing a search to determine what percentage of events are error events for a camera-based system.
To narrow logged events down to camera events, I have event=camera*
in the initial search.
What I want to do next is treat the event as bad if it's in a subset, so I want something like:
event=camera* | eval bad_event=IF(event IN (camera-failed, camera-error, ...))
but I am not sure of the correct syntax for this in Splunk.
I tried eval bad_event=IF(event=camera-failed OR event=camera-error)
, but got the message Error in 'eval' command: The arguments to the 'if' function are invalid.
How do I check if the event is in a subset of its possible values?
There are multiple ways to do it. One is this
event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error","Yes","No")
Other options
event=camera* | eval bad_event=if(like("camera-failed,camera-error,camera-anyother","%".event."%"),"Yes","No")
There are multiple ways to do it. One is this
event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error","Yes","No")
Other options
event=camera* | eval bad_event=if(like("camera-failed,camera-error,camera-anyother","%".event."%"),"Yes","No")
Thank you, this really helped. I'm now having trouble using that result, because I want to calculate the percentage of all events which are bad_event
s, and I'm not sure how to do that (very new to Splunk). That's probably a second question, but if you could give me some insight there I would appreciate it.
Try something like this
event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error",1,0) | stats count as total_events sum(bad_event) as bad_events | eval percentage=round(100*bad_events/total_events,2)