Thanks so much. This 10 year old post helped me resolve my issue! ... View more

this removes null and uid from the target group. | search operationName="Add member to group" | stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.modifiedProperties{}.newValue", operationName, _time ``` removes uid ``` | regex properties.targetResources{}.modifiedProperties{}.newValue!=".{8}-.{4}-.{4}-.{4}-.{12}" ``` removes null value ``` | search NOT properties.targetResources{}.modifiedProperties{}.newValue="null" | rename "properties.initiatedBy.user.userPrincipalName" as initiated_user, "properties.targetResources{}.userPrincipalName" as target_user, "properties.targetResources{}.modifiedProperties{}.newValue" as group_name | eval group = replace(group_name, "\"", "") | eval initiated_user = lower(initiated_user), target_user = lower(target_user) ... View more

Curious, did you ever find a fix for this? ... View more

If everything else works OK (other logs are ingested properly), it seems to be a local permissions problem. You can try to check the _internal events from this forwarder but I don't remember if the eventlog access problems show up in the logs if you don't raise debugging levels. ... View more

What do you mean by the Indexer tier? Where would that be located in the file structure on a Windows syslog server? ... View more