Doc searching turned up the answer (I think):
http://www.splunk.com/base/Documentation/4.1.5/Admin/Inputsconf
evt_resolve_ad_obj = 1|0 Enables/disables resolving active directory objects like GUID/SID objects for a specific windows event log channel. By default this option it turned on for Security event logs. Optionally you can specify the Domain Controller name and/or DNS name of the domain to bind to which then splunk will use to resolve the AD objects.
Doc searching turned up the answer (I think):
http://www.splunk.com/base/Documentation/4.1.5/Admin/Inputsconf
evt_resolve_ad_obj = 1|0 Enables/disables resolving active directory objects like GUID/SID objects for a specific windows event log channel. By default this option it turned on for Security event logs. Optionally you can specify the Domain Controller name and/or DNS name of the domain to bind to which then splunk will use to resolve the AD objects.
Does this work for "remote pulled" event logs as well? I've put the following in inputs.conf but it does not seem to be doing lookups.
[default] evt_dc_name = evt_dns_name =
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 index = eventlog_filtering_test evt_resolve_ad_obj = 1 # resolved GUIDs and SIDs in the event data
Hey muebel, did that solve your problem? If so please accept the answer as correct to close this question out. Thanks dude!