I am trying to identify when a member has been removed from security enabled groups such as domain admins, using index=wineventlog eventt_id=4729 but i am not finding anything with Group Name=Domain Admins?
Are you pulling in the logs in XML format?
For non XML the field is Group_Name for Event ID 4729 (at least in my setup which should be the standard Windows TA).
