I seem to be having some issues working with AD event ID 4738. Unless I am doing or reading something wrong, one of the attributes clearly has a value in raw AD log yet Splunk does not seem to capture that value.
Below is a screenshot of an event 4738. See the "User Account Control" field and how it shows "Account Disabled". Under this screenshot I have included another showing how Splunk displays the returned values for that attribute. I have attempted to use REX but seeing as Splunk doesn't see the value for "User Account Control" it isn't returning anything.
My goal is to be able to create a table showing the source, target, the change, and time. I can populate the other columns just fine.
Any help is GREATLY appreciated.