It's really strange but the resulting events do not contain the word ERROR.
All the events have either the word 'struc' or 'xpo'.
But none of the events contain 'struc' AND 'error' .
Now, when I removed the line ("struc" OR "xpo") and put error there like following
It shows events only with 'error' keyword not error AND struc.
(host="something1.domain.com" OR "something2.domain.com" OR "something3.domain.com" OR "something4.domain.com" OR "something5.domian.com" )
error
| eval struc = if(like(_raw,"%struc%") AND like(_raw,"%ERROR%"),1,0)
| eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%ERROR%"),1,0)
| stats sum(struc) as nfs1_count sum(xpo) as nfs2_count
... View more