The Owner selection in Incident Review filters by the account "Full name", but the Investigations filter to add users to the investigation only displays and filters on the account name.
I expect that all user lookups in Splunk ES should behave similarly, if not identically. If only one field is available, I'd prefer the "Full name". But filtering on both might be nice, if it isn't noisy and doesn't add too much to the backend.
Version: Splunk ES on 7.3.3