I had been running the Splunk App for Active Directory version 1.1.3 on our Windows Server 2008 SP2 for a couple of weeks and noticed that when I would run the "Security->User Logon Failures" screen the "Failed Logons by Username" would show several logon failures for various users as expected which is very useful information.
The issue I discovered was when I click one of the offending users the "User Audit" page often would show the "No results found. Inspect ..." Following the link, I would get to the "Search job inspector" page showing the search string used to find the data:
eventtype=msad-failed-user-logons dest_nt_domain="MYDOMAIN" user="myuser"
When I would paste this string into the search page I would indeed get no search results, but if I remove the "dest_nt_domain=MYDOMAIN" string I would get back the expected results. Checking the results I would not find a dest_nt_domain, but instead I would find a dest_nt_host instead with one of my domain controllers.
Now I believe this is kind behavior is spotty because if I fail from a Windows System I think I can get the correct response. Yesterday, I upgraded my Splunk App for Active Directory to version 1.1.4 to see if I experienced a behavioral change, but it still exhibits the same issue. I wonder if there is a way to somehow omit the dest_nt_domain from the initial search string and get uniform behavior for all of our failed logon attempts.
I'm seeing the same problem. If you remove "dest_nt_domain" or switch it with "src_nt_domain" it works.
I've opened a ticket with splunk.
Any resolution to that ticket? I am trying to resolve the same issue