https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519151#M146177 <P>Hello,</P> <P>I am trying to test on a single host and this search may be completely wrong and would appreciate any assistance as I am just starting to use Splunk.</P> <P>I am trying to capture any local accounts created or added to the local Administrators group on one host.</P> <P>This gets me what I need, which is the Time(when), hostname ,who created but the Security_ID field is lumping all into one .. I need a column with just the Hostname\LocalAccountName or just LocalAccountName</P> <P>Security_ID is including the SAmAccountname that created the account, the local account name and&nbsp;BUILTIN\Administrators all in one.</P> <P>This is what I am searching, any help will be appreciated.</P> <LI-CODE lang="markup">MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode,</LI-CODE> Fri, 11 Sep 2020 20:56:32 GMT papa 2020-09-11T20:56:32Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519151#M146177 <P>Hello,</P> <P>I am trying to test on a single host and this search may be completely wrong and would appreciate any assistance as I am just starting to use Splunk.</P> <P>I am trying to capture any local accounts created or added to the local Administrators group on one host.</P> <P>This gets me what I need, which is the Time(when), hostname ,who created but the Security_ID field is lumping all into one .. I need a column with just the Hostname\LocalAccountName or just LocalAccountName</P> <P>Security_ID is including the SAmAccountname that created the account, the local account name and&nbsp;BUILTIN\Administrators all in one.</P> <P>This is what I am searching, any help will be appreciated.</P> <LI-CODE lang="markup">MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode,</LI-CODE> Fri, 11 Sep 2020 20:56:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519151#M146177 papa 2020-09-11T20:56:32Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519182#M146193 Can you post a screen cap or sample of your log event? Sat, 12 Sep 2020 03:48:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519182#M146193 marycordova 2020-09-12T03:48:40Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519184#M146194 <P>Your problem I think, is that SecurityID is a multivalue field.&nbsp;&nbsp;</P><P>For reference:&nbsp;<A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732" target="_blank" rel="noopener">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732</A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marycordova_1-1599883111253.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10790iE2EF47B77C23BF68/image-size/medium?v=v2&amp;px=400" role="button" title="marycordova_1-1599883111253.png" alt="marycordova_1-1599883111253.png" /></span></P><P>If you want to extract these into individual fields you would use "mvindex":</P><P>&nbsp;</P><LI-CODE lang="markup">|eval subject_sid=mvindex('SecurityID',0) |eval member_sid=mvindex('SecurityID',1) |eval group_sid=mvindex('SecurityID',2)</LI-CODE><P>&nbsp;</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/MultivalueEvalFunctions#mvindex.28MVFIELD.2CSTARTINDEX.2C_ENDINDEX.29" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/MultivalueEvalFunctions#mvindex.28MVFIELD.2CSTARTINDEX.2C_ENDINDEX.29</A></P> Sat, 12 Sep 2020 04:00:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519184#M146194 marycordova 2020-09-12T04:00:13Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519511#M146335 <P>Hi Marcy</P><P>The example log you posted is the exact that I see , I tested your example below but it made no difference .. is that how I would search ?</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">MyHostName EventCode=4732 OR EventCode=4720 | table _time, HostName, src_user, Security_ID, EventCode |eval group_sid=mvindex('SecurityID',2)</LI-CODE><P>&nbsp;</P> Mon, 14 Sep 2020 17:21:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519511#M146335 papa 2020-09-14T17:21:12Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519524#M146337 <P>MyHostName EventCode=4732 OR EventCode=4720<BR />| eval group_sid=mvindex('SecurityID',2)<BR />| table _time, HostName, src_user, <STRONG>group_sid</STRONG>, EventCode</P> Mon, 14 Sep 2020 17:35:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519524#M146337 marycordova 2020-09-14T17:35:20Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519526#M146338 <P>that was it , I modified it a bit and got the&nbsp;</P><P>I modified&nbsp;<SPAN>('SecurityID',2) to&nbsp;('Security_ID',1)</SPAN></P><LI-CODE lang="markup">MyHostName EventCode=4732 OR EventCode=4720 | eval group_sid=mvindex('Security_ID',1) | table _time, HostName, src_user,group_sid</LI-CODE><P>&nbsp;</P> Mon, 14 Sep 2020 17:47:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-data-from-Security-ID-field-when-capturing-local/m-p/519526#M146338 papa 2020-09-14T17:47:39Z