Splunk Search

How to check for list of values and evaluate true/false?

h3xa
Explorer

I am new to splunk and i cannot figure out how to check the Values and evaluate True/False.
Below is the query that i tried.

 

index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False")
| dedup host,EventID,ev_field
| table host,EventID,ev_field

 

Requirement is to check if the ex: "testhost1" has particular values in the EventID field and if not to mark as "false" or something like that...

The query that i made evaluates and adds TRUE to the "ev_field" for the EventIDs that it finds but i can't figure out how to add False for the EventIDs that it does not match or find in logs.
The EventIDs that are not present in logs there simply wont show in results.

This is the result that i get:

h3xa_0-1648556589403.png

This is what i actually need:

h3xa_1-1648556650733.png

The second image is edited just as an example to make my point what i need as a result.

Labels (4)
0 Karma
1 Solution

somesoni2
Revered Legend

Assuming your EventID list is fixed and small like the example, you can try something like this:

index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = "True"
| chart values(ev_field) over host by EventID
| table host,"4688","4103","4104","4768","4769" 
| fillnull value="False" "4688","4103","4104","4768","4769"
| untable host,EventID,ev_field

View solution in original post

somesoni2
Revered Legend

Assuming your EventID list is fixed and small like the example, you can try something like this:

index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769")
| eval ev_field = "True"
| chart values(ev_field) over host by EventID
| table host,"4688","4103","4104","4768","4769" 
| fillnull value="False" "4688","4103","4104","4768","4769"
| untable host,EventID,ev_field

h3xa
Explorer

This works i think, thank you very much :_) u are a legend xD

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=windows host=testhost1
| eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False")
| dedup host,EventID
| table host,EventID,ev_field

PickleRick
Ultra Champion

It's a very typical kind of question on this forum.

And as always the answer is - you're only operating on what you have so at each stage of your pipeline you only know what events/results you got at this moment, not what you wanted to have. In other words - if your search tried to match several values but found only one of them, you no longer know what values you tried to find, just which values you found.

There are some tricks to do things like you want however - see https://www.duanewaddle.com/proving-a-negative/

0 Karma

h3xa
Explorer

Thnx for the information, i appreciate it.
I think for now @somesoni2 's approach works. 
I also will try doing it with lookup tables 🙂

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...