All Apps and Add-ons

Field alias Status AS Error_Code is wiping out the contents of the Error_Code field on Event ID 4776

gn694
Communicator

We recently migrated to a Splunk Environment where the Add-on for Microsoft Windows is installed and now have problems with some of our existing (migrated) dashboards and searches.

Events of EventCode 4776 now all had an Error_Code value of "-". Normally the Error_Code in this type of event would be something like 0x0 for a successful authentication or C000006A for a wrong password.

I looked at the contents of the Add-on and found a calculated field for Error_Code:

EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code)

So, if the Error_Code is null it makes the value "-". BUT even though the Error_Code in these events is NOT null, the calculated field is still kicking in.....

Further looking into the contents of the Add-on revealed the field alias:

FIELDALIAS-Status_as_Error_Code = Status AS Error_Code

So, since EventCode 4776 does not have a Status field (so it is null), the alias is making the Error_Code field value null, which then gets adjusted to "-" by the calculated field.

A different type of event - EventCode 4625 does have a Status field. There is no native field named Error_Code for it. But with the Add-on there is a Status field and an Error_Code field with the same value. Is that really needed?

Is there any reason why they decided to "clobber" the Error_Code field? For EventCode 4776, the Error_Code field is very useful for identifying successful vs unsuccessful authentications and determining the reason for the failed authentications. I can create a field extraction to get the value out but I really don't think I should have to in this case because it seems like this has to be some kind of a bug / undesired outcome.

I'm thinking of submitting a support request to Splunk but was curious as to other people's thoughts on this first.

1 Solution

gn694
Communicator

Update for anyone with this problem:
Go to the alias and uncheck the box labelled"Overwrite field values"
This will prevent Splunk from overwriting the existing Error_Code field.

View solution in original post

0 Karma

gn694
Communicator

Update for anyone with this problem:
Go to the alias and uncheck the box labelled"Overwrite field values"
This will prevent Splunk from overwriting the existing Error_Code field.

0 Karma

jerm1020rq
Explorer

I have this same issue, do you by chance have a dumbed down guide on where to access this. Newbie for Splunk here

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...