Windows Security Event Log eventid 4738 has multiple fields that Splunk extracts values for, which is great, but we're talking about 19+ fields, many of which usually have only a useless "-" for a value. That's too many fields to display all in one table on a dashboard. I want to build a table that displays only the values that are NOT "-"; I am only interested in the values that have actually been changed.
Here's an example of good 'ol 4738:
A user account was changed.
Subject:
Security ID: ACME-FR\administrator
Account Name: administrator
Account Domain: ACME-FR
Logon ID: 0x20f9d
Target Account:
Security ID: ACME-FR\John.Locke
Account Name: John.Locke
Account Domain: ACME-FR
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x10
New UAC Value: 0x4010
User Account Control:
'Not Delegated' - Enabled
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: -
....So, the first problem is that I want some Splunk search commands that will go through all of the fields, discarding anything with "-" for a value, but adding anything else to a table, which will ultimately only show what's changed.
Second problem is: in the example, notice that the User Account Control: field has a value listed not on the same line, but instead underneath it, apparently on another line. Splunk does NOT see that text as a value for the field. I have tried using regex to capture that value, including things like new line ^ , EOL $ , multiple spaces \s+ , but am unable to capture that text!!
Any suggestions?
... View more