Solved: Re: Yes / No Column if EventCode Found in Lookup

aferone · ‎11-05-2020

I have a lookup table with certain Windows Event Codes. I am searching our Windows index for all Windows Event Codes. I would like a count of all Windows Event Codes, per Event Code, and a column that says whether that Event Code is in my lookup table. This is what I am attempting partly with what I found on Answers, but it isn't working:

| inputlookup MyWinEvCodes 
| fields EventCode 
| append 
    [ search index=winsevlog 
    | stats count as Count by EventCode
        ] 
| eval Found = if(Count > 1,"Yes","No") 
| stats count by EventCode, Found 
| sort + count

Thank you in advance!

richgalloway · ‎11-05-2020

Try this query.

index=winsevlog 
| stats count as Count by EventCode
| fields - count
| lookup MyWinEvCodes EventCode OUTPUT EventCode
| eval Found = if(isnotnull(EventCode),"Yes","No") 
| table EventCode, Found

---
If this reply helps you, Karma would be appreciated.

View solution in original post

aferone · ‎11-05-2020

Thanks!

richgalloway · ‎11-05-2020

Try this query.

index=winsevlog 
| stats count as Count by EventCode
| fields - count
| lookup MyWinEvCodes EventCode OUTPUT EventCode
| eval Found = if(isnotnull(EventCode),"Yes","No") 
| table EventCode, Found

---
If this reply helps you, Karma would be appreciated.

Yes / No Column if EventCode Found in Lookup

lookup

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Join the Conversation

Yes / No Column if EventCode Found in Lookup

lookup

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits

See Splunk Platform & Observability Innovations at Cisco Live EMEA