We recently migrated to a Splunk Environment where the Add-on for Microsoft Windows is installed and now have problems with some of our existing (migrated) dashboards and searches.

Events of EventCode 4776 now all had an Error_Code value of "-". Normally the Error_Code in this type of event would be something like 0x0 for a successful authentication or C000006A for a wrong password.

I looked at the contents of the Add-on and found a calculated field for Error_Code:

EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code)

So, if the Error_Code is null it makes the value "-". BUT even though the Error_Code in these events is NOT null, the calculated field is still kicking in.....

Further looking into the contents of the Add-on revealed the field alias:

FIELDALIAS-Status_as_Error_Code = Status AS Error_Code

So, since EventCode 4776 does not have a Status field (so it is null), the alias is making the Error_Code field value null, which then gets adjusted to "-" by the calculated field.

A different type of event - EventCode 4625 does have a Status field. There is no native field named Error_Code for it. But with the Add-on there is a Status field and an Error_Code field with the same value. Is that really needed?

Is there any reason why they decided to "clobber" the Error_Code field? For EventCode 4776, the Error_Code field is very useful for identifying successful vs unsuccessful authentications and determining the reason for the failed authentications. I can create a field extraction to get the value out but I really don't think I should have to in this case because it seems like this has to be some kind of a bug / undesired outcome.

I'm thinking of submitting a support request to Splunk but was curious as to other people's thoughts on this first.