Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the search bringing "-" account results for event 4625?

sjimenezp
New Member
‎03-13-2019 10:08 AM

Hi,

This is the search that we are using for the dashboard and it brings all events with value "-".

index=wineventlog EventCode=4625 host=* Account_Name!=*$  | stats count by Account_Name
| eventstats  sum(count) as Failures by count | table Account_Name, Failures  | sort -Failures

Please advice

0 Karma
Reply

nickhills
Ultra Champion
‎03-14-2019 02:54 AM

Do you see the SID reported in those events?

If so, it may be that you do not have evt_resolve_ad_obj = 1 set on the inputs.conf stanza for the security event log.

This setting will force the Splunk UF to try to resolve the SID to a user account
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

See this post, where I made a few suggestions on how to address this
https://answers.splunk.com/answers/732772/why-are-user-details-missing-in-the-splunk-logs.html#answe...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-13-2019 04:44 PM

Advise about what? What are your desired results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...