×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
MacAllen
Engager
Member since: ‎08-14-2025
‎08-15-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎08-14-2025
Activity Feed
View All

Query giving multiple results in the same field, h...

by in Splunk Search
‎08-14-2025 01:04 PM
‎08-14-2025 01:04 PM
Doing a query on AD events for adding users to groups.  There are 3 events, one for each type of group.  2 of them are very straight forward, account_name is the account, group_name is the group, easy peasy.  However, event 4756 shoves everything into the account_name field, so I get something like this: Account_Name my_username CN=user_I_Added Enterprise Admins   All of this is in 1 line.  Looking inside the event, I get this: Subject: Security ID: mysid Account Name: my_username Account Domain: my domain Logon ID: 0xmyid   Member: Security ID: hersid Account Name: CN=her_username   Group: Security ID: groupside Account Name: Enterprise Admins Account Domain: my_domain   I'd like to select on group_name, but for some reason Enterprise Admins is shoved into one of 3 Account_names in the same event.  Suggestions on parsing this?  "Moving" the name to group_name? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-15-2025 06:40 AM
Karma given to
View All