having some issues with my SPL query. The search below is creating a table from AWS cloud trail logs, and is using a lookup file containing AD data. Each row of the table contains login data from AWS like last login and number of logins, Im trying to use the AD lookup to see if the users logging in are still active on this AD file. I do not have an inactive lookup, the only thing I have to go off is that the user will no longer show up on the AD lookup. So that means it will have blanks on the table if the logins do not find a match on the ad lookup. So I want to eval a new status field based off if "identity is null". Iv'e tried base case and if. not getting anything. everything is working find except line 16.
index=aws sourcetype="aws:cloudtrail" eventCategory=Management eventType=AwsConsoleSignin
| stats max(_time) AS last_login count AS logins by userIdentity.arn
| rename userIdentity.arn AS user
| search user="*.com"
| eval temp=split(user,":")
| eval Account_number = mvindex(temp2, 4)
| eval usr =mvindex(temp, 5)
| fields - temp
| eval temp2=split(usr,"/")
| eval role_type=mvindex(temp2,0)
| eval role=mvindex(temp2,1)
| eval user_email=mvindex(temp2,2)
| eval last_login=strftime(last_login,"%c")
| rename user_email AS email
| lookup identity_ad email OUTPUTNEW bunit memberOf identity first last
| eval status=case(identity==null, "inactive", identity!=null "active")
| table status, first, last, identity, email, bunit, role, role_type, logins, last_login
Everything is returning correctly in the table except the status field which is being calculated on line 16 of the query. In help or a point in the right direction would be greatly appreciated, Thanks.
Splunk has the isnull and isnotnull functions for testing if a field is null or not.
index=aws sourcetype="aws:cloudtrail" eventCategory=Management eventType=AwsConsoleSignin
| stats max(_time) AS last_login count AS logins by userIdentity.arn
| rename userIdentity.arn AS user
| search user="*.com"
| eval temp=split(user,":")
| eval Account_number = mvindex(temp2, 4)
| eval usr =mvindex(temp, 5)
| fields - temp
| eval temp2=split(usr,"/")
| eval role_type=mvindex(temp2,0)
| eval role=mvindex(temp2,1)
| eval user_email=mvindex(temp2,2)
| eval last_login=strftime(last_login,"%c")
| rename user_email AS email
| lookup identity_ad email OUTPUTNEW bunit memberOf identity first last
| eval status=case(isnull(identity), "inactive", isnotnull(identity), "active")
| table status, first, last, identity, email, bunit, role, role_type, logins, last_login