- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my search to determine what percenta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm writing a search to determine what percentage of events are error events for a camera-based system.
To narrow logged events down to camera events, I have event=camera* in the initial search.
What I want to do next is treat the event as bad if it's in a subset, so I want something like:
event=camera* | eval bad_event=IF(event IN (camera-failed, camera-error, ...))
but I am not sure of the correct syntax for this in Splunk.
I tried eval bad_event=IF(event=camera-failed OR event=camera-error), but got the message Error in 'eval' command: The arguments to the 'if' function are invalid.
How do I check if the event is in a subset of its possible values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple ways to do it. One is this
event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error","Yes","No")
Other options
event=camera* | eval bad_event=if(like("camera-failed,camera-error,camera-anyother","%".event."%"),"Yes","No")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are multiple ways to do it. One is this
event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error","Yes","No")
Other options
event=camera* | eval bad_event=if(like("camera-failed,camera-error,camera-anyother","%".event."%"),"Yes","No")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this really helped. I'm now having trouble using that result, because I want to calculate the percentage of all events which are bad_events, and I'm not sure how to do that (very new to Splunk). That's probably a second question, but if you could give me some insight there I would appreciate it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
event=camera* | eval bad_event=if(event="camera-failed" OR event="camera-error",1,0) | stats count as total_events sum(bad_event) as bad_events | eval percentage=round(100*bad_events/total_events,2)
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
