In order to find out if and when a member was added to a security group,I have done a search for EventCode=4728. The search returned the following:
10/20/2013 01:10:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4728
EventType=0
Type=Information
ComputerName=server1.domainname.com
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=5551234
Keywords=Audit Success
Message=A member was added to a security-enabled global group.
Subject:
Security ID: domainname\jdoe
Account Name: jdoe
Account Domain: domainname
Logon ID: 0x1e3ef1d1
Member:
Security ID: domainname\jdoe
Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com
Group:
Security ID: domainname\Test Users
Group Name: Test Users
Group Domain: domainname
Additional Information:
Privileges: -
Once I viewed this information I changed my search to look like this:
EventCode=4727 |rename Account_Name as Modifier | rename Group_Name as "Modified Group" |table _time, Host, Modifier, "Modified Group", user
My problem is that I don't know how to deal with the two account names when I display the information in a table. The Modifier displays the right information which is the first account name. I would like user to display the information from "Account Name: CN=John Doe,OU=My Users OU,DC=domainname,DC=com" and label it as "Member Added" as that is the member that was added to the Test Users group name.
Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.
index=blah sourcetype=bleh EventCode = 4727
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1)
| rename Group_Name AS Modified_Group
| table _time host Modifier Modified_Group Member_Added
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions
/K
Thank you so much! This is extremely helpful for any event id pulled from the Windows Security Log. Often there are 2 or 3 fields named the same (e.g. Account_Name) and you only want to pull the one value out. Kristian's answer solved my issue big time.
Thank you Kristian. That worked, and you have opened my eyes to the fact that there are evaluation functions. I am very new at this. Thanks again for your help, it is much appreciated.
Since Account_Name is a multivalued field, you'll have to get the correct value out of the array.
index=blah sourcetype=bleh EventCode = 4727
| eval Modifier = mvindex(Account_Name, 0)
| eval Member_Added = mvindex(Account_Name, 1)
| rename Group_Name AS Modified_Group
| table _time host Modifier Modified_Group Member_Added
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions
/K