I want to be able to tag Windows system accounts, but it doesn't seem to be working correctly in 5.0 and 5.0.1, installed on Linux. I have Windows machines with Splunk forwarders on them, and they are recording events that have the following users:
ANONYMOUS LOGON
LOCAL SERVICE
NETWORK SERVICE
MYCOMPUTERNAME$
I can create tags for them, but because they have spaces and dollar signs in their name, they show on the Tags Manager pages with the URI-encoded equivalent, so that spaces become %20 and the dollar sign is %24. When I try to modify the key/value pair or change its permissions from, for example, "List by field value pair" page, I get a 404 with the message:
Splunk cannot find "saved/fvtags/user=ANONYMOUS%20LOGON".
... View more