Solved: Windows TA not Parsing "Error_Code" from 4776 Logs

jerm1020rq · ‎02-18-2020

Searching: index=sec_windows source=wineventlog:security EventCode=4776 action=failure

should return a field called Error_Code which signifies the error encountered by the authenticating user. This field parses "-" for everything which is incorrect. I have tried to use field extractor, but that still hasn't worked. I don't know why.

If I extract the field "inline":

| rex field=Message "Error\sCode:\s+(?0[^\s]+)"

it works but there are way too many events to do this

spayneort · ‎02-23-2020

It looks like there is a field alias overwriting this field. Try adding this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf on your search head:

[source::WinEventLog:Security]
FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code

Reference: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Fieldaliasbehaviorchange

View solution in original post

spayneort · ‎02-23-2020

It looks like there is a field alias overwriting this field. Try adding this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf on your search head:

[source::WinEventLog:Security]
FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code

Reference: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Fieldaliasbehaviorchange

Windows TA not Parsing "Error_Code" from 4776 Logs

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Are you a member of the Splunk Community?

Windows TA not Parsing "Error_Code" from 4776 Logs

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...