Getting Data In

Splunk Translation issues

Twagner79
Explorer

Good morning all, 

I am still new to Splunk configuration and was lucky enough to inherit a mostly functional setup. Right now, the main issue I am having is converting the SIDs to their respective user names.  The evt_resolve_ad_obj = 1 fix did not work. Any other insight as to what could fix this problem would help me a lot. Thanks in advance! 

Labels (4)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @Twagner79,

There is not much data you gave us for help. Are you using Universal Forwarder to get windows data? I assume it is Windows Security event logs? Did you put evt_resolve_ad_obj into your inputs on your Universal Forwarders? Are you using Deployment Server ? Did you restart Universal Forwarder after his setting?

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @Twagner79,

There is not much data you gave us for help. Are you using Universal Forwarder to get windows data? I assume it is Windows Security event logs? Did you put evt_resolve_ad_obj into your inputs on your Universal Forwarders? Are you using Deployment Server ? Did you restart Universal Forwarder after his setting?

If this reply helps you an upvote is appreciated.

Twagner79
Explorer

Hey scelikok, yes your solution worked. Sorry for the lack of details, I can only share so much. Thank you!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...