We have been running a search that returns results for user and computer account creation. For the past week or so, the search no longer returns results for eventID's that I have verified are in the event log on the domain controller. Events were previously found as recently as 8/21 and are still found if I change the time range to include that data. I am not aware of any system changes since 8/21 that would have caused the null results.
The search we are using is:
EventCode="645" OR EventCode="624" OR EventCode="631" OR EventCode="4720" OR EventCode="4741" OR EventCode="4727" | top src_user user
If I search on other eventID's from the security log in Splunk, they are found without issue but the test user and computer accounts I created today and entries from others that I know have been created in the past few days are not found in the search results.
Any thoughts on what the issue might be?
Thanks
... View more