Getting Data In

For Wineventlog, Event ID captures User info, but why does Splunk raw data show user User=NOT_TRANSLATED?

rbal_splunk
Splunk Employee
Splunk Employee

Issue is that for the Wineventlog for Application channel EventCode=11707 and EventCode=11724, intermittently _raw data User is reported as “User=NOT_TRANSLATED”

0 Karma

dgrubb_splunk
Splunk Employee
Splunk Employee

Have you verified that the WinEventLog: Application input stanza is configured to translate:

e.g.

[WinEventLog:Application]
evt_resolve_ad_obj = 1

inputs.conf.spec:

evt_resolve_ad_obj = [1|0]
* How the input should interact with Active Directory while indexing Windows
Event Log events.
* If you set this setting to 1, the input resolves the Active
Directory Security IDentifier (SID) objects to their canonical names for
a specific Windows Event Log channel.
* If you enable the setting, the rate at which the input reads events
on high-traffic Event Log channels can decrease. Latency can also increase
during event acquisition. This is due to the overhead involved in performing
AD translations.
* When you set this setting to 1, you can optionally specify the domain
controller name or dns name of the domain to bind to with the 'evt_dc_name'
setting. The input connects to that domain controller to resolve the AD
objects.
* If you set this setting to 0, the input does not attempt any resolution.
* Defaults to 0 (disabled) for all channels.

Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...