https://community.splunk.com/t5/Splunk-Search/Why-is-the-search-bringing-quot-quot-account-results-for-event/m-p/439554#M125041 <P>Do you see the SID reported in those events?</P> <P>If so, it may be that you do not have <CODE>evt_resolve_ad_obj = 1</CODE> set on the inputs.conf stanza for the security event log.</P> <P>This setting will force the Splunk UF to try to resolve the SID to a user account<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor</A></P> <P>See this post, where I made a few suggestions on how to address this<BR /> <A href="https://answers.splunk.com/answers/732772/why-are-user-details-missing-in-the-splunk-logs.html#answer-731902">https://answers.splunk.com/answers/732772/why-are-user-details-missing-in-the-splunk-logs.html#answer-731902</A></P> Thu, 14 Mar 2019 09:54:48 GMT nickhills 2019-03-14T09:54:48Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-search-bringing-quot-quot-account-results-for-event/m-p/439552#M125039 <P>Hi,</P> <P>This is the search that we are using for the dashboard and it brings all events with value "-".</P> <PRE><CODE>index=wineventlog EventCode=4625 host=* Account_Name!=*$ | stats count by Account_Name | eventstats sum(count) as Failures by count | table Account_Name, Failures | sort -Failures </CODE></PRE> <P>Please advice</P> Wed, 13 Mar 2019 17:08:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-search-bringing-quot-quot-account-results-for-event/m-p/439552#M125039 sjimenezp 2019-03-13T17:08:22Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-search-bringing-quot-quot-account-results-for-event/m-p/439553#M125040 <P>Advise about what? What are your desired results?</P> Wed, 13 Mar 2019 23:44:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-search-bringing-quot-quot-account-results-for-event/m-p/439553#M125040 richgalloway 2019-03-13T23:44:07Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-search-bringing-quot-quot-account-results-for-event/m-p/439554#M125041 <P>Do you see the SID reported in those events?</P> <P>If so, it may be that you do not have <CODE>evt_resolve_ad_obj = 1</CODE> set on the inputs.conf stanza for the security event log.</P> <P>This setting will force the Splunk UF to try to resolve the SID to a user account<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor</A></P> <P>See this post, where I made a few suggestions on how to address this<BR /> <A href="https://answers.splunk.com/answers/732772/why-are-user-details-missing-in-the-splunk-logs.html#answer-731902">https://answers.splunk.com/answers/732772/why-are-user-details-missing-in-the-splunk-logs.html#answer-731902</A></P> Thu, 14 Mar 2019 09:54:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-search-bringing-quot-quot-account-results-for-event/m-p/439554#M125041 nickhills 2019-03-14T09:54:48Z