I'd like to eval a status code field where the status is one other the other or multiple. The blow works for only 200.
| eval status = coalesce(status, $error.status$)
| where status = 200
I'd like to do something like.
| where status = 200 OR 201
There are a couple of ways to do that.
| eval status = coalesce(status, $error.status$)
| where (status = 200 OR status = 201)
Or
| eval status = coalesce(status, $error.status$)
| where in(status, 200, 201)
Or
| eval status = coalesce(status, $error.status$)
| search status IN(200, 201)
Or
| eval status = coalesce(status, $error.status$)
| search status=200 OR status=201