https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312741#M93632 <P>Unfortunately I am not sure exactly which one does it, i do know that after enabling all it was showing up. can you tag this with "Splunk Security Essentials", the developer usually replies back very quickly.</P> Fri, 16 Mar 2018 14:19:56 GMT tnorth42 2018-03-16T14:19:56Z https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312738#M93629 <P>I have added Security Essentials on my indexer and the Splunk_TA_windows app on the forwarders however when i run the First Time Logon to New Server query I get </P> <P>'You should have a field called "user" defined in your Windows Security logs. This is provided by the Splunk TA for Windows. Consider adding that TA to make for a better experience!'</P> <P>How do I define fields? Does this add-on change the user_logon field from the security event log to user for cim or something?</P> Tue, 29 Sep 2020 14:54:47 GMT https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312738#M93629 samhodgson 2020-09-29T14:54:47Z https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312739#M93630 <P>You need to setup the inputs.conf for the Splunk_TA_windows app.</P> <P><A href="https://docs.splunk.com/Documentation/WindowsAddOn/4.8.4/User/Configuration" target="_blank">https://docs.splunk.com/Documentation/WindowsAddOn/4.8.4/User/Configuration</A></P> Tue, 29 Sep 2020 18:17:29 GMT https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312739#M93630 tnorth42 2020-09-29T18:17:29Z https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312740#M93631 <P>tnorth42 - I have inputs.conf set up. Which specific stanza in the inputs.conf file needs to be enabled?</P> Fri, 16 Mar 2018 12:15:01 GMT https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312740#M93631 pil321 2018-03-16T12:15:01Z https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312741#M93632 <P>Unfortunately I am not sure exactly which one does it, i do know that after enabling all it was showing up. can you tag this with "Splunk Security Essentials", the developer usually replies back very quickly.</P> Fri, 16 Mar 2018 14:19:56 GMT https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312741#M93632 tnorth42 2018-03-16T14:19:56Z https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312742#M93633 <P>Same problem for me. Apparently the user field is not extracted correctly in Splunk 7.03 when the AD server OS is in a foreign laguage, in my casi spanish</P> Fri, 08 Mar 2019 15:32:15 GMT https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312742#M93633 luis290311 2019-03-08T15:32:15Z https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312743#M93634 <P>You actually need to have the "Splunk Add-on for Microsoft Windows" installed on your Searcheads/Indexers.<BR /> <A href="https://splunkbase.splunk.com/app/742/">https://splunkbase.splunk.com/app/742/</A><BR /> This will configure all of the necessary field extractions in order to allow those searches to run, and as you have noted formats the data inline with the Splunk Common Information Model</P> <P>When you install the TA on an indexer/SH you don't need to configure anything, simply install and restart when prompted.</P> <P><EM>Sidenote: Best practices says that ideally you remove the inputs.conf/eventgen.conf/sample data when installing to Production, but not strictly necessary.</EM></P> Fri, 08 Mar 2019 15:57:01 GMT https://community.splunk.com/t5/Splunk-Search/Define-user-field-in-Security-Essentials/m-p/312743#M93634 nickhills 2019-03-08T15:57:01Z