Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check for list of values and evaluate true/false?

h3xa
Explorer
‎03-29-2022 05:33 AM

I am new to splunk and i cannot figure out how to check the Values and evaluate True/False.
Below is the query that i tried.

 

index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False")
| dedup host,EventID,ev_field
| table host,EventID,ev_field

 

Requirement is to check if the ex: "testhost1" has particular values in the EventID field and if not to mark as "false" or something like that...

The query that i made evaluates and adds TRUE to the "ev_field" for the EventIDs that it finds but i can't figure out how to add False for the EventIDs that it does not match or find in logs.
The EventIDs that are not present in logs there simply wont show in results.

This is the result that i get:

h3xa_0-1648556589403.png

This is what i actually need:

h3xa_1-1648556650733.png

The second image is edited just as an example to make my point what i need as a result.

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-29-2022 06:59 AM

Assuming your EventID list is fixed and small like the example, you can try something like this:

index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = "True"
| chart values(ev_field) over host by EventID
| table host,"4688","4103","4104","4768","4769" 
| fillnull value="False" "4688","4103","4104","4768","4769"
| untable host,EventID,ev_field

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-29-2022 06:59 AM

Assuming your EventID list is fixed and small like the example, you can try something like this:

index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = "True"
| chart values(ev_field) over host by EventID
| table host,"4688","4103","4104","4768","4769" 
| fillnull value="False" "4688","4103","4104","4768","4769"
| untable host,EventID,ev_field
Reply
Solved! Jump to solution

h3xa
Explorer
‎03-30-2022 07:45 AM

This works i think, thank you very much :_) u are a legend xD

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-29-2022 06:04 AM

Try something like this

index=windows host=testhost1
| eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False")
| dedup host,EventID
| table host,EventID,ev_field
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-29-2022 05:55 AM

It's a very typical kind of question on this forum.

And as always the answer is - you're only operating on what you have so at each stage of your pipeline you only know what events/results you got at this moment, not what you wanted to have. In other words - if your search tried to match several values but found only one of them, you no longer know what values you tried to find, just which values you found.

There are some tricks to do things like you want however - see https://www.duanewaddle.com/proving-a-negative/

0 Karma
Reply
Solved! Jump to solution

h3xa
Explorer
‎03-30-2022 07:49 AM

Thnx for the information, i appreciate it.
I think for now @somesoni2 's approach works. 
I also will try doing it with lookup tables 🙂

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...