https://community.splunk.com/t5/Getting-Data-In/For-Wineventlog-Event-ID-captures-User-info-but-why-does-Splunk/m-p/150122#M30527 <P>Have you verified that the WinEventLog: Application input stanza is configured to translate:</P> <P>e.g.</P> <P>[WinEventLog:Application]<BR /> evt_resolve_ad_obj = 1</P> <P>inputs.conf.spec:</P> <P>evt_resolve_ad_obj = [1|0]<BR /> * How the input should interact with Active Directory while indexing Windows<BR /> Event Log events.<BR /> * If you set this setting to 1, the input resolves the Active<BR /> Directory Security IDentifier (SID) objects to their canonical names for<BR /> a specific Windows Event Log channel.<BR /> * If you enable the setting, the rate at which the input reads events<BR /> on high-traffic Event Log channels can decrease. Latency can also increase<BR /> during event acquisition. This is due to the overhead involved in performing<BR /> AD translations.<BR /> * When you set this setting to 1, you can optionally specify the domain<BR /> controller name or dns name of the domain to bind to with the 'evt_dc_name'<BR /> setting. The input connects to that domain controller to resolve the AD<BR /> objects.<BR /> * If you set this setting to 0, the input does not attempt any resolution.<BR /> * Defaults to 0 (disabled) for all channels.</P> Tue, 29 Sep 2020 12:35:53 GMT dgrubb_splunk 2020-09-29T12:35:53Z https://community.splunk.com/t5/Getting-Data-In/For-Wineventlog-Event-ID-captures-User-info-but-why-does-Splunk/m-p/150121#M30526 <P>Issue is that for the Wineventlog for Application channel EventCode=11707 and EventCode=11724, intermittently _raw data User is reported as “User=NOT_TRANSLATED”</P> Tue, 29 Sep 2020 06:51:02 GMT https://community.splunk.com/t5/Getting-Data-In/For-Wineventlog-Event-ID-captures-User-info-but-why-does-Splunk/m-p/150121#M30526 rbal_splunk 2020-09-29T06:51:02Z https://community.splunk.com/t5/Getting-Data-In/For-Wineventlog-Event-ID-captures-User-info-but-why-does-Splunk/m-p/150122#M30527 <P>Have you verified that the WinEventLog: Application input stanza is configured to translate:</P> <P>e.g.</P> <P>[WinEventLog:Application]<BR /> evt_resolve_ad_obj = 1</P> <P>inputs.conf.spec:</P> <P>evt_resolve_ad_obj = [1|0]<BR /> * How the input should interact with Active Directory while indexing Windows<BR /> Event Log events.<BR /> * If you set this setting to 1, the input resolves the Active<BR /> Directory Security IDentifier (SID) objects to their canonical names for<BR /> a specific Windows Event Log channel.<BR /> * If you enable the setting, the rate at which the input reads events<BR /> on high-traffic Event Log channels can decrease. Latency can also increase<BR /> during event acquisition. This is due to the overhead involved in performing<BR /> AD translations.<BR /> * When you set this setting to 1, you can optionally specify the domain<BR /> controller name or dns name of the domain to bind to with the 'evt_dc_name'<BR /> setting. The input connects to that domain controller to resolve the AD<BR /> objects.<BR /> * If you set this setting to 0, the input does not attempt any resolution.<BR /> * Defaults to 0 (disabled) for all channels.</P> Tue, 29 Sep 2020 12:35:53 GMT https://community.splunk.com/t5/Getting-Data-In/For-Wineventlog-Event-ID-captures-User-info-but-why-does-Splunk/m-p/150122#M30527 dgrubb_splunk 2020-09-29T12:35:53Z