Try single quotes around the fieldname in the case statement Splunk can be finicky about fieldnames with certain characters such as ".", "{}" Example:   | eval dct_domain=case('host.domain'=="prd", "Production", 'host.domain'=="uat", "Pre-Production", 'host.domain'=="dev", "Development", true(), "test" )      

Here is my contribution to this topic, since it now almost 2024. index="wineventlog" source="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4647 Account_Name=* action=success ComputerName=* earliest=-1d@d latest=@d | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | eval User=lower(User) | search NOT User IN (*$, system) | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4647" maxspan=-1 | eval Logontime=if(EventCode="4624",_time,null()) | eval Logofftime=Logontime+duration | eval Duration=round(duration/60/60, 2) | convert ctime(Logontime) as Logontime | convert ctime(Logofftime) as Logofftime | table User ComputerName Logontime Logofftime Duration EventCode Logon_Type | sort user, host, -Duration | rename duration AS "Duration (hours)" For my use case I was looking for interactive sessions or sessions initiated by the user.  The log off event is 4647.  The previous days events are being collected using the earliest and latest settings.   I converted my time to hours with two decimal places.  Lastly, I excluded the system account. Thanks to all those who contributed to the previous solutions they were really helpful.

So to use your original SPL you posted, it would look something like this. | from datamodel Endpoint.Filesystem | search action=deleted AND Image IN ("*powershell.exe", "*cmd.exe") | lookup files_deleted file_path OUTPUT file_path as path_lookup | where isnotnull(path_lookup) This method assumes that the field "file_path" is properly extracted from your events and that you have enabled the match_type WILDCARD(file_path) setting in the lookup definition. If the field value from "file_path" in the events matches any entry in the lookup, including wildcards, it will return a net-new field to your event named "path_lookup". If an event does not match an entry in the lookup then there will be no new field returned for that event. The final where clause in the search will only keep the events  where a match was made against the lookup.

Hi, @dtburrows3  I'm still having trouble understanding this query. My goal is to retrieve the file_path field in the event and compare it with a lookup file containing files that should not be deleted. If the file_path in my event matches a file in the lookup file, then the alert should be triggered. Similar to blacklisting malicious IP addresses.