I have configured Splunk App for Salesforce and Splunk Addon for Salesforce in Splunk Cloud and all dashboards are working fine except Logon Analytics dashboard. I have checked that UserType dropdown is not showing any data. Also, have checked that event sfdc-login-history shows login history data but user details are missing i.e. UserType, Firstname, Lastname etc.
The same Salesforce Org all data is visible in Splunk Enterprise version, but we need to implement Cloud version.
Splunk App for Salesforce version is 3.0
Splunk Addon for Salesforce version is 2.0
Is there any issue with lookups in Splunk app for Salesforce?
I realize this is an old question and you have probably found a fix, but this just happened to me as well, so I wanted to share what I found for any other users who stumble on this in the future.
The problem I found is that all of the inputs have a default of 90 days worth of history, and look at the last modified date for the objects. In the case of user accounts, very few of our user accounts had been modified in the past 90 days so almost no user data was populated in the sfdc:user sourcetype. That sourcetype is used to populate the user lookup, which is then used by many of the dashboards to convert a user ID into actual named users.
The fix for me was to disable all of the SFDC inputs, delete the sfdc index and start all of the inputs over with much longer initial dates. In my case I was able to go back to when our SFDC instance was created because it is a relatively small environment, but that guarantees that I have user data for all users in our SFDC instance.