One of the empty fields is the Admin field, that is populated using fields which are getting the values using regex from the raw event :
and the Admin field is created with this macro :
Based on the screenshot they are present in the CustomEventLog. Are they also present in the events in Splunk? Please check that by for example searching:
`filter_dc_winseclog_events` (EventCode=4720 OR EventCode=4726)
and checking the raw events.