All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Supporting Add-on for Active Directory: Why is a simple ldapsearch search slow to return results?

_smp_
Builder
‎06-01-2017 12:27 PM

First let me say I'm no Active Directory expert so maybe this behavior is expected. But I have successfully installed the Splunk Supporting Add-on for Active Directory and tested the connection. When I run a simple search, there's a relatively long (~10s) delay before the results are returned. Here's what my search looks like:

| ldapsearch domain=ACME search="(&(objectClass=user)(samAccountName=george))" attrs="department"

The search takes about 9 seconds, which seemed strange to me so I took a packet capture. After the bind, it looks like the add-on is sending a subSchema search for 12 attributes. A couple of those attributes (dITContentRules and attributeTypes) have a lot of values - 647 and 4108 respectively. It's the transmission of these attribute values that is causing the search to take so long. Once the add-in sends the actual search based on my search term, the response is almost immediate.

Is it normal for the add-on to send that initial subSchema query? Is there some reason it's necessary, or some way to suppress it?

0 Karma
Reply

pappjr
Path Finder
‎06-01-2017 06:17 PM

Hi @scottprigge,

The Splunk Supporting Add-on for Active Directory is notorious for taking unusually long to return results. I have seen similar issues myself in just about every client environment I've used it in. Attached is the most descriptive thread of fellow Splunkers lamenting this issue:

https://answers.splunk.com/answers/329748/how-do-i-improve-ldapsearch-performance.html

Sounds like this is an issue for the developers, maybe you could open a ticket with your findings and help push them along?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...