Splunk Search

How to only extract fields from Windows Security Event Log 4738 that have actual deltas to display in a table?


Windows Security Event Log eventid 4738 has multiple fields that Splunk extracts values for, which is great, but we're talking about 19+ fields, many of which usually have only a useless "-" for a value. That's too many fields to display all in one table on a dashboard. I want to build a table that displays only the values that are NOT "-"; I am only interested in the values that have actually been changed.

Here's an example of good 'ol 4738:

A user account was changed.


Security ID: ACME-FR\administrator
Account Name: administrator
Account Domain: ACME-FR
Logon ID: 0x20f9d

Target Account:

Security ID: ACME-FR\John.Locke
Account Name: John.Locke
Account Domain: ACME-FR

Changed Attributes:

SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x4010
User Account Control:
'Not Delegated' - Enabled
User Parameters: -
SID History: -
Logon Hours: -

Additional Information:

Privileges: -

....So, the first problem is that I want some Splunk search commands that will go through all of the fields, discarding anything with "-" for a value, but adding anything else to a table, which will ultimately only show what's changed.

Second problem is: in the example, notice that the User Account Control: field has a value listed not on the same line, but instead underneath it, apparently on another line. Splunk does NOT see that text as a value for the field. I have tried using regex to capture that value, including things like new line ^, EOL $, multiple spaces \s+, but am unable to capture that text!!

Any suggestions?

0 Karma


This won't completely answer your question, but I had a similar one a few weeks back and the answer for me was to use SED scripting to filter out what I didn't want indexed. I was doing a simple find & replace, which works great if you absolutely never want to see those fields indexed. If it's conditional, it will be a little more complicated.

Here is the thread for my issue:

0 Karma


Sadly, this is conditional. I did consider using sed, but I don't know what I'll get in each event for field values. I thought about maybe replacing "-" with NULL and then performing some other Splunk command that would discard any fields with null values....if this is possible? And then how to get Splunk to display just the fields for each event that do NOT have a NULL value.....

0 Karma


Well, if the only time you don't want a field indexed is when it just has the "-", then using a SED script to ignore any fields with a value of '-' would be conditional. It would only eliminate the fields when they have a dash, and index them whenever the SED script filter doesn' t match.

Though, keep in mind that my intent on my issue was just to completely not index the fields I didn't want, not just to filter the search results.

0 Karma