Getting Data In

For Wineventlog, Event ID captures User info, but why does Splunk raw data show user User=NOT_TRANSLATED?

Splunk Employee
Splunk Employee

Issue is that for the Wineventlog for Application channel EventCode=11707 and EventCode=11724, intermittently raw data User is reported as “User=NOTTRANSLATED”

0 Karma

Splunk Employee
Splunk Employee

Have you verified that the WinEventLog: Application input stanza is configured to translate:

e.g.

[WinEventLog:Application]
evtresolvead_obj = 1

inputs.conf.spec:

evtresolveadobj = [1|0]
* How the input should interact with Active Directory while indexing Windows
Event Log events.
* If you set this setting to 1, the input resolves the Active
Directory Security IDentifier (SID) objects to their canonical names for
a specific Windows Event Log channel.
* If you enable the setting, the rate at which the input reads events
on high-traffic Event Log channels can decrease. Latency can also increase
during event acquisition. This is due to the overhead involved in performing
AD translations.
* When you set this setting to 1, you can optionally specify the domain
controller name or dns name of the domain to bind to with the 'evt
dc_name'
setting. The input connects to that domain controller to resolve the AD
objects.
* If you set this setting to 0, the input does not attempt any resolution.
* Defaults to 0 (disabled) for all channels.