reighnman
commented
8 years ago Do you have leading wild card searches enabled? If that resolved the issue I'll have to add it to the requirements
gralog.conf: allow_leading_wildcard_searches = true
Otherwise you can edit the dashboard and remove "SubjectUserName:*$ OR " but you'll see system accounts in the results.
I ahve this error on the Dahsboard -- AD DNS Object Summary (7d)
Cannot parse 'EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:$ OR SubjectUserName:SYSTEM OR SubjectUserName:-)': '' or '?' not allowed as first character in WildcardQuery