I am new to splunk and i cannot figure out how to check the Values and evaluate True/False.
Below is the query that i tried.
index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False")
| dedup host,EventID,ev_field
| table host,EventID,ev_field
Requirement is to check if the ex: "testhost1" has particular values in the EventID field and if not to mark as "false" or something like that...
The query that i made evaluates and adds TRUE to the "ev_field" for the EventIDs that it finds but i can't figure out how to add False for the EventIDs that it does not match or find in logs.
The EventIDs that are not present in logs there simply wont show in results.
This is the result that i get:
This is what i actually need:
The second image is edited just as an example to make my point what i need as a result.
Assuming your EventID list is fixed and small like the example, you can try something like this:
index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = "True"
| chart values(ev_field) over host by EventID
| table host,"4688","4103","4104","4768","4769"
| fillnull value="False" "4688","4103","4104","4768","4769"
| untable host,EventID,ev_field
Assuming your EventID list is fixed and small like the example, you can try something like this:
index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = "True"
| chart values(ev_field) over host by EventID
| table host,"4688","4103","4104","4768","4769"
| fillnull value="False" "4688","4103","4104","4768","4769"
| untable host,EventID,ev_field
This works i think, thank you very much :_) u are a legend xD
Try something like this
index=windows host=testhost1
| eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False")
| dedup host,EventID
| table host,EventID,ev_field
It's a very typical kind of question on this forum.
And as always the answer is - you're only operating on what you have so at each stage of your pipeline you only know what events/results you got at this moment, not what you wanted to have. In other words - if your search tried to match several values but found only one of them, you no longer know what values you tried to find, just which values you found.
There are some tricks to do things like you want however - see https://www.duanewaddle.com/proving-a-negative/
Thnx for the information, i appreciate it.
I think for now @somesoni2 's approach works.
I also will try doing it with lookup tables 🙂