I am still new to Splunk configuration and was lucky enough to inherit a mostly functional setup. Right now, the main issue I am having is converting the SIDs to their respective user names. The evt_resolve_ad_obj = 1 fix did not work. Any other insight as to what could fix this problem would help me a lot. Thanks in advance!
There is not much data you gave us for help. Are you using Universal Forwarder to get windows data? I assume it is Windows Security event logs? Did you put evt_resolve_ad_obj into your inputs on your Universal Forwarders? Are you using Deployment Server ? Did you restart Universal Forwarder after his setting?