Solved: Re: Splunk Translation issues

Twagner79 · ‎04-19-2021

Good morning all,

I am still new to Splunk configuration and was lucky enough to inherit a mostly functional setup. Right now, the main issue I am having is converting the SIDs to their respective user names. The evt_resolve_ad_obj = 1 fix did not work. Any other insight as to what could fix this problem would help me a lot. Thanks in advance!

scelikok · ‎04-20-2021

Hi @Twagner79,

There is not much data you gave us for help. Are you using Universal Forwarder to get windows data? I assume it is Windows Security event logs? Did you put evt_resolve_ad_obj into your inputs on your Universal Forwarders? Are you using Deployment Server ? Did you restart Universal Forwarder after his setting?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎04-20-2021

Hi @Twagner79,

There is not much data you gave us for help. Are you using Universal Forwarder to get windows data? I assume it is Windows Security event logs? Did you put evt_resolve_ad_obj into your inputs on your Universal Forwarders? Are you using Deployment Server ? Did you restart Universal Forwarder after his setting?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Twagner79 · ‎09-29-2021

Hey scelikok, yes your solution worked. Sorry for the lack of details, I can only share so much. Thank you!

Splunk Translation issues

CSV

host

index

Windows

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?