Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the search bringing "-" account results for event 4625?

sjimenezp
New Member
‎03-13-2019 10:08 AM

Hi,

This is the search that we are using for the dashboard and it brings all events with value "-".

index=wineventlog EventCode=4625 host=* Account_Name!=*$  | stats count by Account_Name
| eventstats  sum(count) as Failures by count | table Account_Name, Failures  | sort -Failures

Please advice

0 Karma
Reply

nickhills
Ultra Champion
‎03-14-2019 02:54 AM

Do you see the SID reported in those events?

If so, it may be that you do not have evt_resolve_ad_obj = 1 set on the inputs.conf stanza for the security event log.

This setting will force the Splunk UF to try to resolve the SID to a user account
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

See this post, where I made a few suggestions on how to address this
https://answers.splunk.com/answers/732772/why-are-user-details-missing-in-the-splunk-logs.html#answe...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-13-2019 04:44 PM

Advise about what? What are your desired results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top