Splunk Search
Highlighted

Why is the search bringing "-" account results for event 4625?

New Member

Hi,

This is the search that we are using for the dashboard and it brings all events with value "-".

index=wineventlog EventCode=4625 host=* Account_Name!=*$  | stats count by Account_Name
| eventstats  sum(count) as Failures by count | table Account_Name, Failures  | sort -Failures

Please advice

0 Karma
Highlighted

Re: Why is the search bringing "-" account results for event 4625?

SplunkTrust
SplunkTrust

Advise about what? What are your desired results?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Why is the search bringing "-" account results for event 4625?

Ultra Champion

Do you see the SID reported in those events?

If so, it may be that you do not have evt_resolve_ad_obj = 1 set on the inputs.conf stanza for the security event log.

This setting will force the Splunk UF to try to resolve the SID to a user account
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

See this post, where I made a few suggestions on how to address this
https://answers.splunk.com/answers/732772/why-are-user-details-missing-in-the-splunk-logs.html#answe...

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.