For some Windows event logs (such as Security log Event Code 4624), the "Account Domain" field appears twice in the event, such as:
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: Domain\User
Account Name: User
Account Domain: Domain
Logon ID: 0x10e78b284
Logon GUID: {9C42AF4A-04C2-DB77-9462-7BF2E02E8CFD}
From what I can tell, Splunk is automatically extracting these fields. There is nothing in props.conf to extract the Account_Domain field. Since "Account Domain:" appears twice in the event, once with the value "-" and once with the value "Domain", the resulting event appears as "- Domain".
It isn't a multivalued field. I've tried applying makemv to it without success. I could turn it into a multivalued field if I used space as the delimiter, but that would then screw up fields where "NT AUTHORITY" is the domain.
Given that this seems to be an issue with how Splunk automatically extracts data for "key: value" pairs, does anyone have an idea how best to work around this so domains are identified properly?
Is there a way to use the "replace" function of eval in the data model setting for the dest_nt_domain field to replace the "- " value with nothing?
as far as I remember, dest_nt_domain is defined in a transforms.conf. REGEX could be modified to avoid parting "-" by creating a transforms.conf in local directory, I guess.
Hi responsys_cm,
this is not a direct answer to your question but recently i got pointed at this blog about win-event-log:
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/
Maybe the xml-field-extractions are a bit more robust and already solve the problem with the key-value-extraction. Additionally it comes with more benifits wich are described in the blog. Atleast something worth a try?
Greetings.