doksu, thanks for your answer.
I do not understand one thing; the /etc/passwd in my splunk (Windows 2012r2) has the users of the splunk web, not the users of the linux server (the one that it is sending the logs to my Splunk).
I run the command in the Linux, but that does not replicate in the app in the Splunk.
I have to copy the file from my Linux to the server that it is running the Splunk? or create the file manually?

thanks again.

agustinac, the awk command in the documentation points at /etc/passwd on Linux, not $SPLUNK_HOME/etc/passwd

The method you use to produce the local_posix_identities lookup on the Splunk search head doesn't matter. If your search head is a Windows machine you won't be able to use the awk command provided in the documentation and will need to find another Linux machine in your fleet from which to produce the csv then copy to the search head. If you need assistance with this process, please ask your local Splunk Sales Engineer who can assist with the process in person.

I strongly recommend you don't use Windows for Splunk (or other big data) servers, please see: https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html

dosku, thanks very much! that is exactly what I did. Now the user_tty view its working just fine, and the posix_identities csv file has updated with the value 0,root from de local posix identities file.
Also thanks for you advice on using a Linux instead of a Win for de indexer, I will have that in mind.
regards!