I found a problem when I migrate Splunk from Windows server 2003 to Windows server 2008.
I created a alert for local or global groups changed.
It works well in Windows server 2003. But in Windows Server 2008, there is only Sid, no Account Name. Here is an example. If I add myslf into the administrator group. (I have changd some real information....) Thank you in advance!