Splunk Search

How do I edit my search to determine what percentage of error events are in a subset of values?

asfallows
Engager

I'm writing a search to determine what percentage of events are error events for a camera-based system.

To narrow logged events down to camera events, I have event=camera* in the initial search.

What I want to do next is treat the event as bad if it's in a subset, so I want something like:

event=camera* | eval bad_event=IF(event IN (camera-failed, camera-error, ...))

but I am not sure of the correct syntax for this in Splunk.

I tried eval bad_event=IF(event=camera-failed OR event=camera-error), but got the message Error in 'eval' command: The arguments to the 'if' function are invalid.

How do I check if the event is in a subset of its possible values?

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

There are multiple ways to do it. One is this

event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error","Yes","No")

Other options

event=camera* | eval bad_event=if(like("camera-failed,camera-error,camera-anyother","%".event."%"),"Yes","No")

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

There are multiple ways to do it. One is this

event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error","Yes","No")

Other options

event=camera* | eval bad_event=if(like("camera-failed,camera-error,camera-anyother","%".event."%"),"Yes","No")

asfallows
Engager

Thank you, this really helped. I'm now having trouble using that result, because I want to calculate the percentage of all events which are bad_events, and I'm not sure how to do that (very new to Splunk). That's probably a second question, but if you could give me some insight there I would appreciate it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error",1,0) | stats count as total_events sum(bad_event) as bad_events | eval percentage=round(100*bad_events/total_events,2)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...