https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104471#M27066 <OL> <LI>Is Eventcode a field or a string?&nbsp; You are treating it as a string.&nbsp; If it is a field and not a string, your search won't work</LI> <LI>Make sure you are getting the _raw data you expect after your search criteria.&nbsp; Your rex for <ACTION> is suspect as it doesn't match the case used in the search.</ACTION></LI> </OL> <P>To Ayn's point, what data are you working with and what are you trying to do?</P> Sun, 22 Jul 2012 20:30:51 GMT chrismorris 2012-07-22T20:30:51Z https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104468#M27063 <PRE><CODE>index="Server" ( CategoryString="Account Management" OR TaskCategory="Security Group Management" ) (Message="Security Enabled*" OR Message="A member was added to a*" OR Message="A member was removed from a*") ("EventCode=624" OR "EventCode=630" OR "EventCode=4720" OR "Eventcode=4726") | eval caller = if(isnull(Account_Name), Caller_User_Name, mvindex(Account_Name,0)) | eval member = if(isnull(Account_Name), Member_Name, mvindex(Account_Name,1)) | eval group = if(isnull(Target_Account_Name), Group_Name, Target_Account_Name) | rex field=_raw "CN=(?&lt;cname&gt;.+?)," | rex field=_raw "Message=A security-enabled .* was (?&lt;action&gt;.+?)\." | rex field=_raw "was (?&lt;details&gt;\S+)"| table _time host caller details cname| rename _time AS Date/Time cname AS User group AS Group caller AS "Initiator" name AS "Description" host AS "DC" Security_ID AS "Initiator" details AS Action | convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Date/Time) </CODE></PRE> <P>I can not get the removed field to work, when i put the proper event codes that I want. Does anyone have any suggestions? </P> Fri, 20 Jul 2012 17:19:50 GMT https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104468#M27063 Michael_Schyma1 2012-07-20T17:19:50Z https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104469#M27064 <P>It's kind of hard to read your questions - it's a search consisting of 10 dense lines, followed by a very short text about something that does not work. Please include more detail on your use-case, what the desired outcome is, what results you are getting instead and any other details that might help us help you.</P> Fri, 20 Jul 2012 19:31:31 GMT https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104469#M27064 Ayn 2012-07-20T19:31:31Z https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104470#M27065 <P>Agreed... where is your "removed" field meant to be used, the string "removed" is only mentioned once in your search syntax, and that is part of the initial search command.</P> Sat, 21 Jul 2012 15:47:11 GMT https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104470#M27065 MHibbin 2012-07-21T15:47:11Z https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104471#M27066 <OL> <LI>Is Eventcode a field or a string?&nbsp; You are treating it as a string.&nbsp; If it is a field and not a string, your search won't work</LI> <LI>Make sure you are getting the _raw data you expect after your search criteria.&nbsp; Your rex for <ACTION> is suspect as it doesn't match the case used in the search.</ACTION></LI> </OL> <P>To Ayn's point, what data are you working with and what are you trying to do?</P> Sun, 22 Jul 2012 20:30:51 GMT https://community.splunk.com/t5/Splunk-Search/Search-Removed-Added/m-p/104471#M27066 chrismorris 2012-07-22T20:30:51Z