ok the solution is simple user is null because it contain splunk action that contain dash
it mean contain user that are not specific in index=_internal
actually you can see this hit on "sourcetype=splunk_web_access" and sourcetype=splunk_access" on index=_internal
I guess its for Splunk actions which are not user specific. You might be seeing this on "sourcetype=splunk_web_access" and "sourcetype=splunk_access" on index=_internal
What logs did you see this happen in? Does the log contain any other information about the connection? You might be able to use something like a source IP address to assist in attribution.