https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31190#M1155 <P>I'm getting events now, but for example I've looked at the "User Logon Failures" page. It doesn't return any results in any of the sections. I haven't looked at all of them, but the first one over time seems strange to me or maybe my data is strange.</P> <P>It uses this:<BR /> search eventtype=msad-failed-user-logons</P> <P>so I checked that eventtype and it's based on:<BR /> eventtype=msad-nt5-failed-user-logons OR eventtype=msad-nt6-failed-user-logons</P> <P>I've got only 2008 R2 so I looked at the nt6 eventtype:<BR /> eventtype=wineventlog-security EventCode=4625 user!="*$"</P> <P>This doesn't produce any search results for me as is. I removed the "user" field and get plenty of results. I can't actually see any "user" fields in the data I get.. however I have a field called "Account_Name" which seems to have the information I'm looking for. So I tried this search:</P> <P>eventtype=wineventlog-security EventCode=4625 Account_Name!="*$"</P> <P>I seem to get the failed logon attempts that the page is trying to retrieve. So I guess my question is.. is it normal for this to not work or should I actually have a "user" field?</P> Fri, 10 Aug 2012 01:48:19 GMT lfcowart 2012-08-10T01:48:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31190#M1155 <P>I'm getting events now, but for example I've looked at the "User Logon Failures" page. It doesn't return any results in any of the sections. I haven't looked at all of them, but the first one over time seems strange to me or maybe my data is strange.</P> <P>It uses this:<BR /> search eventtype=msad-failed-user-logons</P> <P>so I checked that eventtype and it's based on:<BR /> eventtype=msad-nt5-failed-user-logons OR eventtype=msad-nt6-failed-user-logons</P> <P>I've got only 2008 R2 so I looked at the nt6 eventtype:<BR /> eventtype=wineventlog-security EventCode=4625 user!="*$"</P> <P>This doesn't produce any search results for me as is. I removed the "user" field and get plenty of results. I can't actually see any "user" fields in the data I get.. however I have a field called "Account_Name" which seems to have the information I'm looking for. So I tried this search:</P> <P>eventtype=wineventlog-security EventCode=4625 Account_Name!="*$"</P> <P>I seem to get the failed logon attempts that the page is trying to retrieve. So I guess my question is.. is it normal for this to not work or should I actually have a "user" field?</P> Fri, 10 Aug 2012 01:48:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31190#M1155 lfcowart 2012-08-10T01:48:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31191#M1156 <P>I've looked at the Windows Security Operations Center app and it seems to join the "User Name" and "Account_Name" fields to produce results.</P> Fri, 10 Aug 2012 02:02:46 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31191#M1156 lfcowart 2012-08-10T02:02:46Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31192#M1157 <P>Ok so I read the instructions and I guess I misunderstood them. I thought that the AD app needed to be added to the index instance and the Windows_TA only to the DCs. But I added the Windows_TA to the splunk indexer and it seems to have fixed it. Even though I get a nasty error when opening the Windows_TA app since I'm using a Linux server.</P> Mon, 28 Sep 2020 12:14:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31192#M1157 lfcowart 2020-09-28T12:14:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31193#M1158 <P>You need to add the splunk_TA_Windows to your splunk instance for field extractions. You can disable all the inputs in the app (and you should on a Linux box), or even just remove the inputs.conf file - we just need the field extractions.</P> Mon, 28 Sep 2020 12:14:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31193#M1158 ahall_splunk 2020-09-28T12:14:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31194#M1159 <P>I am also facing the same problem. I have put the all the add-on required in forwarder as shown in below snapshot:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29iF829B9693261B6AD/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Also I have installed all the required add on my indexer.</P> <P>Please help !</P> Mon, 27 Jun 2016 07:25:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31194#M1159 rishabhey2016 2016-06-27T07:25:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31195#M1160 <P>I am facing the same problem. I have put all the necessary add-on on the splunk forwarder , and installed on the indexer as well. I am not able to get the account name instead i am getting user field. </P> <P>Please help</P> Mon, 27 Jun 2016 07:31:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Not-getting-results-in-several-security-dashboards/m-p/31195#M1160 rishabhey2016 2016-06-27T07:31:06Z