Does the Proxy have the authentication feature enabled for users in order to get to the Web?
If this feature is turned on, then then DLP incidents will have a username, but probably has the Domain in the field (Domian\username). This way EVERY incident will have a username that can be used to do a further lookup. You would need to script a process to remove the Domain information and then do an LDAP lookup with the username information. Otherwise you will have some that have a username and some that don't, which I believe is what you have now.
This could be further scripted using one of the methods below:
https://www.symantec.com/connect/forums/lookup-ip-sender-email-or-sender-ip-logged-user
or
https://www.symantec.com/connect/downloads/dlp-vontu-custom-script-lookup-network-incident-hostnames
Hope this helps!