About dsb6

dsb6 · ‎12-07-2021

Thanks for your reply bowesmana. I was not clear on the desired output. EventCode=19 will return multiple results for hundreds of ComputerName matches. The desired output is one line per ComputerName where HotFixID is either the matched KB or 'NotInstalled'.

dsb6 · ‎11-23-2021

The suggested if(in(a,b)) does return the required results however, the results include a HotFixID value for each KB value. Using the sample KB values from my post, results for HotFixID are NotInstalled 5008601 NotInstalled Preference would be to have one result per ComputerName with HotFixID value of matched KB value or NotInstalled.

dsb6 · ‎11-23-2021

I have a base search: index=oswin EventCode=19 SourceName="Microsoft-Windows-WindowsUpdateClient" earliest=-10d ComputerName=*.somedomain.com | rex "\WKB(?<KB>.\d+)\W" The result populates field ‘KB’ with a list of values similar to: 5007192 5008601 890830 I need to test if ‘KB’ contains one of the following: “5008601”, “5008602”, “5008603”, “5008604”, “5008605”, “5008606” If a match is found, populate field HotFixID (new field) with the matched value. If no match is found, populate field HotFixID with “NotInstalled”. Using search KB IN (5008601,5008602,5008603,5008604,5008605,5008606) results in matched values only. Case function works only if the matched value is the last one evaluated, otherwise it returns "notInstalled" even though a match is present.

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎11-23-2021

Online Status	Offline
Date Last Visited	‎12-07-2021 02:06 PM

Matching field values to text

Re: Matching field values to text

Re: Matching field values to text

Matching field values to text