<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Help with  windows security event log search string in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107195#M22541</link>
    <description>&lt;P&gt;Thank you Kristian. That worked, and you have  opened my eyes to the fact that there are evaluation functions.  I am very new at this. Thanks again for your help, it is much appreciated.&lt;/P&gt;</description>
    <pubDate>Mon, 21 Oct 2013 13:47:52 GMT</pubDate>
    <dc:creator>adrianmiron</dc:creator>
    <dc:date>2013-10-21T13:47:52Z</dc:date>
    <item>
      <title>Help with  windows security event log search string</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107193#M22539</link>
      <description>&lt;P&gt;In order to find out if and when a member was added to a security group,I have done a search for  EventCode=4728. The search returned the following:&lt;/P&gt;

&lt;P&gt;10/20/2013 01:10:24 PM&lt;/P&gt;

&lt;P&gt;LogName=Security&lt;/P&gt;

&lt;P&gt;SourceName=Microsoft Windows security auditing.&lt;/P&gt;

&lt;P&gt;EventCode=4728&lt;/P&gt;

&lt;P&gt;EventType=0&lt;/P&gt;

&lt;P&gt;Type=Information&lt;/P&gt;

&lt;P&gt;ComputerName=server1.domainname.com&lt;/P&gt;

&lt;P&gt;TaskCategory=Security Group Management&lt;/P&gt;

&lt;P&gt;OpCode=Info&lt;/P&gt;

&lt;P&gt;RecordNumber=5551234&lt;/P&gt;

&lt;P&gt;Keywords=Audit Success&lt;/P&gt;

&lt;P&gt;Message=A member was added to a security-enabled global group.&lt;/P&gt;

&lt;P&gt;Subject:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Security ID:        domainname\jdoe
Account Name:       jdoe
Account Domain:     domainname
Logon ID:       0x1e3ef1d1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Member:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Security ID:        domainname\jdoe
Account Name:       CN=John Doe,OU=My Users OU,DC=domainname,DC=com
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Group:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Security ID:        domainname\Test Users
Group Name:     Test Users
Group Domain:       domainname
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Additional Information:&lt;BR /&gt;
    Privileges:     -&lt;/P&gt;

&lt;P&gt;Once I viewed this information I changed my search to look like this:&lt;/P&gt;

&lt;P&gt;EventCode=4727 |rename Account_Name as Modifier | rename Group_Name as "Modified Group" |table _time, Host, Modifier, "Modified Group", user&lt;/P&gt;

&lt;P&gt;My problem is that I don't know how to deal with the two account names when I display the information in a table. The Modifier displays the right information which is the first account name. I would like user to display the information from "Account Name:     CN=John Doe,OU=My Users OU,DC=domainname,DC=com" and label it as "Member Added" as that is the member that was added to the Test Users group name.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 15:01:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107193#M22539</guid>
      <dc:creator>adrianmiron</dc:creator>
      <dc:date>2020-09-28T15:01:26Z</dc:date>
    </item>
    <item>
      <title>Re: Help with  windows security event log search string</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107194#M22540</link>
      <description>&lt;P&gt;Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=blah sourcetype=bleh EventCode = 4727 
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1) 
| rename Group_Name AS Modified_Group 
| table _time host Modifier Modified_Group Member_Added 
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions"&gt;http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;/K&lt;/P&gt;</description>
      <pubDate>Sun, 20 Oct 2013 20:22:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107194#M22540</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2013-10-20T20:22:35Z</dc:date>
    </item>
    <item>
      <title>Re: Help with  windows security event log search string</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107195#M22541</link>
      <description>&lt;P&gt;Thank you Kristian. That worked, and you have  opened my eyes to the fact that there are evaluation functions.  I am very new at this. Thanks again for your help, it is much appreciated.&lt;/P&gt;</description>
      <pubDate>Mon, 21 Oct 2013 13:47:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107195#M22541</guid>
      <dc:creator>adrianmiron</dc:creator>
      <dc:date>2013-10-21T13:47:52Z</dc:date>
    </item>
    <item>
      <title>Re: Help with  windows security event log search string</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107196#M22542</link>
      <description>&lt;P&gt;Thank you so much! This is extremely helpful for any event id pulled from the Windows Security Log.  Often there are 2 or 3 fields named the same (e.g. Account_Name) and you only want to pull the one value out.  Kristian's answer solved my issue big time.&lt;/P&gt;</description>
      <pubDate>Sun, 20 Dec 2015 09:21:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-windows-security-event-log-search-string/m-p/107196#M22542</guid>
      <dc:creator>SQservicedesk</dc:creator>
      <dc:date>2015-12-20T09:21:56Z</dc:date>
    </item>
  </channel>
</rss>

