Solved: Yes / No Column if EventCode Found in Lookup

aferone · ‎11-05-2020

I have a lookup table with certain Windows Event Codes. I am searching our Windows index for all Windows Event Codes. I would like a count of all Windows Event Codes, per Event Code, and a column that says whether that Event Code is in my lookup table. This is what I am attempting partly with what I found on Answers, but it isn't working:

| inputlookup MyWinEvCodes 
| fields EventCode 
| append 
    [ search index=winsevlog 
    | stats count as Count by EventCode
        ] 
| eval Found = if(Count > 1,"Yes","No") 
| stats count by EventCode, Found 
| sort + count

Thank you in advance!

richgalloway · ‎11-05-2020

Try this query.

index=winsevlog 
| stats count as Count by EventCode
| fields - count
| lookup MyWinEvCodes EventCode OUTPUT EventCode
| eval Found = if(isnotnull(EventCode),"Yes","No") 
| table EventCode, Found

---
If this reply helps you, Karma would be appreciated.

View solution in original post

aferone · ‎11-05-2020

Thanks!

richgalloway · ‎11-05-2020

Try this query.

index=winsevlog 
| stats count as Count by EventCode
| fields - count
| lookup MyWinEvCodes EventCode OUTPUT EventCode
| eval Found = if(isnotnull(EventCode),"Yes","No") 
| table EventCode, Found

---
If this reply helps you, Karma would be appreciated.

Yes / No Column if EventCode Found in Lookup

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation