Hello, I am having difficulty using the 'where property in (x,y,z,...)' type search filter in Splunk. Specifically, when the property values are strings.
This works for me:
index=indexName | where 'Error.Code' in (5224, 5198)
But this does not:
index=indexName | where 'Error.Type' in (ServConfigError,GetCompFail)
Any idea why that would be? I've tried a lot of combinations of quotes, single and double, around different things, and also trying this kind of construction:
index=indexName 'Error.Type' in (ServConfigError,GetCompFail)
and this
index=indexName | where in ('Error.Type', ServConfigError,GetCompFail)
and so on, and I can't get it to work
thanks for any help
↧