Splunk Support for Active Directory (SA-ldapsearch) is installed and configured on my search heads. When running the test on any system that has it installed, the test function completes.
When trying to run nearly any ldap search, it will take hours to return results.
For example, this search for the App Search Activity:
ldapsearch domain=`SA-LDAPSearch-Domain` search="(&(objectclass=user)(!(objectclass=computer)))"| fields description title cn dn sn name displayName givenName whenChanged sAMAccountName mail manager c l o st telephoneNumber department company directReports physicalDeliveryOfficeName | makemv directReports tokenizer="(?i)(CN=.*?dc=\S*)"| eval NumDirectReports = if(isnull(directReports),0,mvcount(directReports)) | fields - directReports _raw _time
Takes about 7 hours to return results.
We do have an insanely large domain here. I am sure that this is part of the reason.
Unfortunately, the Splunk App for Windows Infrastructure isn't populating a lot of drop-downs, and I suspect it is all related to the SA-ldapsearch search time returns.
↧