I am new to splunk and i cannot figure out how to check the Values and evaluate True/False. Below is the query that i tried.   index=windows host=testhost1 EventID IN ("4688","4103","4104","4768","4769") | eval ev_field = if('EventID' IN ("4688","4103","4104","4768","4769"), "True","False") | dedup host,EventID,ev_field | table host,EventID,ev_field   Requirement is to check if the ex: "testhost1" has particular values in the EventID field and if not to mark as "false" or something like that... The query that i made evaluates and adds TRUE to the "ev_field" for the EventIDs that it finds but i can't figure out how to add False for the EventIDs that it does not match or find in logs. The EventIDs that are not present in logs there simply wont show in results. This is the result that i get: This is what i actually need: The second image is edited just as an example to make my point what i need as a result. ... View more