I ve just configured active directory monitoring based on Splunk 7.3 Active Directory inputs. The AD connexion is running well, but the first sync is limited.
I opened a case, as a solution, Splunk support said admon is limited to approximatively 1000 assets on the first sync.
My AD count 32000 users, 60000 computers and much more object !
Had you used this monitoring on large active directory architecture ?
What type of input do you use to get AD assets ?