Searching: index=sec_windows source=wineventlog:security EventCode=4776 action=failure
should return a field called Error_Code which signifies the error encountered by the authenticating user. This field parses "-" for everything which is incorrect. I have tried to use field extractor, but that still hasn't worked. I don't know why.
If I extract the field "inline":
| rex field=Message "Error\sCode:\s+(?0[^\s]+)"
it works but there are way too many events to do this
It looks like there is a field alias overwriting this field. Try adding this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf on your search head:
[source::WinEventLog:Security]
FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code
Reference: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Fieldaliasbehaviorchange
It looks like there is a field alias overwriting this field. Try adding this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf on your search head:
[source::WinEventLog:Security]
FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code
Reference: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Fieldaliasbehaviorchange