Hi @czql5v So, what I mean by it may be elsewhere, is say for example, a software engineer develops an authentication application, they may well log data in the log files to show why the user's log is failing along side other events. Now for Microsoft they log a lot of events, and do they actually log why?, yes for some, example eventID 4625 is bad password and we know that, and we can look for that. As you said its not a bad a password, so this is really a Microsoft related issue, its not Splunk. Splunk is designed to ingest logs file, as you have done via AD, and we search those logs to find information, but if that data, eventID or information is not in the log file then we can can't search for it. May be look at some of Microsoft forums and post a question there, they may be able to help debug the issue or even tell you what eventID that is to this issue, if there is such an eventID.
... View more