Just came across this thread after noticing that full access lists for object access events exceeded field extraction limits. My workaround will be to define extractions for each class of access listing specific words I am concerned about the return of. EventCode="4656" source=WinEventLog:security splunkforwarder | rex max_match=0 "(?<change_level_accesses>(DELETE|WRITE_DAC|WRITE_OWNER|Set service configuration information|Stop the service|Pause or continue the service))" | table _time host change_level_accesses ... View more

Thank you so much! This is extremely helpful for any event id pulled from the Windows Security Log. Often there are 2 or 3 fields named the same (e.g. Account_Name) and you only want to pull the one value out. Kristian's answer solved my issue big time. ... View more