I have added Security Essentials on my indexer and the Splunk_TA_windows app on the forwarders however when i run the First Time Logon to New Server query I get
'You should have a field called "user" defined in your Windows Security logs. This is provided by the Splunk TA for Windows. Consider adding that TA to make for a better experience!'
How do I define fields? Does this add-on change the user_logon field from the security event log to user for cim or something?
You actually need to have the "Splunk Add-on for Microsoft Windows" installed on your Searcheads/Indexers.
This will configure all of the necessary field extractions in order to allow those searches to run, and as you have noted formats the data inline with the Splunk Common Information Model
When you install the TA on an indexer/SH you don't need to configure anything, simply install and restart when prompted.
Sidenote: Best practices says that ideally you remove the inputs.conf/eventgen.conf/sample data when installing to Production, but not strictly necessary.
Unfortunately I am not sure exactly which one does it, i do know that after enabling all it was showing up. can you tag this with "Splunk Security Essentials", the developer usually replies back very quickly.