Here is an example, i have the same nagging issue. This is a Windows security event when someone added a user to a domain group. I am looking to find out who made the change to an account, and which group they added them to. So i have some code to pull out the user information. index=windows_security_eventlog sourcetype="WinEventLog:Security" (EventCode=4728) | rex mode=sed field=Message "s/[\r\t]+/ /g" | eval event_time = strftime(_time, "%Y-%m-%d %H:%M:%S %Z") | eval changed_by=mvindex(Account_Name,0) | eval modified_account=mvindex(Account_Name,1) | table event_id event_time EventCode EventCodeDescription changed_by src_user modified_account user msad_action Group_Name Message | sort 0 - event_time ... View more