Hello,
I've been working on this w/ Splunk Support and we recently discovered that having user_group="*" was causing no results running the Group Changes dashboard or msad-group-changes search because it's not extracting correctly into the Group column (see example):
But without it:
Anyone know why this is occurring? I know that user_group="*" because it works in another search so why doesn't it work for this one? Any advice is appreciate it