How can I create a field for different search params and include others as well? Ie
source="/location/to/file" "error" AND ("This is one error" OR "this is another error" OR "this is the last error" | fieldchart count
So that the chart shows the count of each type of error and all the rest are grouped in "other"?
Splunk Novice here so any help would be nice!
Thank you!!
Sweet. Thank you so much!
Hi,
you could try something like this:
source="/location/to/file" | rex "(?<special_error>This is one error)" | rex "(?<special_error>this is another error)" | eval error_type=if(isnotnull(special_error),special_error,"other") | stats count by error_type
Just a few thoughts on the search
If you can post some sample events it will be easier to help.
Good luck