Solved: Re: Yes / No Column if EventCode Found in Lookup

aferone · ‎11-05-2020

I have a lookup table with certain Windows Event Codes. I am searching our Windows index for all Windows Event Codes. I would like a count of all Windows Event Codes, per Event Code, and a column that says whether that Event Code is in my lookup table. This is what I am attempting partly with what I found on Answers, but it isn't working:

| inputlookup MyWinEvCodes 
| fields EventCode 
| append 
    [ search index=winsevlog 
    | stats count as Count by EventCode
        ] 
| eval Found = if(Count > 1,"Yes","No") 
| stats count by EventCode, Found 
| sort + count

Thank you in advance!

richgalloway · ‎11-05-2020

Try this query.

index=winsevlog 
| stats count as Count by EventCode
| fields - count
| lookup MyWinEvCodes EventCode OUTPUT EventCode
| eval Found = if(isnotnull(EventCode),"Yes","No") 
| table EventCode, Found

---
If this reply helps you, Karma would be appreciated.

View solution in original post

aferone · ‎11-05-2020

Thanks!

richgalloway · ‎11-05-2020

Try this query.

index=winsevlog 
| stats count as Count by EventCode
| fields - count
| lookup MyWinEvCodes EventCode OUTPUT EventCode
| eval Found = if(isnotnull(EventCode),"Yes","No") 
| table EventCode, Found

---
If this reply helps you, Karma would be appreciated.

Yes / No Column if EventCode Found in Lookup

lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!