My AD query for Asset or Identity list generation takes a long time to run, is there any way to speed it up?
For instance, suppose my version of the search Splunk supplies as a starting point looks like this:
| ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority=case( like(distinguishedName,"%OU=Expired,DC=MyDC,DC=local"), "critical",
like(distinguishedName,"%OU=Vendors,DC=MyDC,DC=local"), "critical",
like(distinguishedName,"%OU=Support,DC=MyDC,DC=local"), "high",
like(distinguishedName,"%OU=SYSTEMS,DC=MyDC,DC=local"), "medium",
like(distinguishedName,"%OU=Users,DC=MyDC,DC=local"), "low",
1==1,"medium" )
| eval category=case( like(distinguishedName,"%OU=Expired,DC=MyDC,DC=local"), "expired",
like(distinguishedName,"%OU=Vendors,DC=MyDC,DC=local"), "vendors",
1==1,"normal" )
| eval watchlist="false"
| eval endDate=if(accountExpires="(never)","",accountExpires)
| rex field=manager "CN=(?[^,]*)"
| table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile,
managedBy, priority, department, category, watchlist, whenCreated, endDate
| rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first,
sn as last, mail as email, telephoneNumber as phone, mobile as phone2, department as bunit, whenCreated as startDate
| outputlookup MyCompany_identities
My current search takes 400 seconds (+/- 5 seconds) to finish. How can I make this faster?
↧