Getting Data In

Does INDEXED_EXTRACTIONS work for Active Directory

a212830
Champion

Hi,

I'm looking at options for improving some reporting for a heavy feed from AD. Is INDEXED_EXTRACTIONS supported for AD events?

0 Karma

jkat54
SplunkTrust
SplunkTrust

You have many options.

  1. Increase search speed by throwing faster / more disk at it.

  2. Create data models to drive the dashboard

  3. Create better / optimized searches.

  4. Reduce the panels (I try to forced everyone to put six panels max)

  5. Create a root dashboard search if applicable.

  6. "Power" the dashboard with accelerated searches where applicable or scheduled reports.

  7. "Power" the dashboard with summarized data.

sloshburch
Ultra Champion

I agree. Esp the data model (accelerated) as well as using post process searches in the dashboard.

0 Karma

jkat54
SplunkTrust
SplunkTrust

To my knowledge INDEXED_EXTRACTIONS only works on csv, psv, JSON, or xml data. It causes the KvP to be indexed which takes up more disk space but can provide a boost in speed at search time. If you're not indexing those types of data however, the setting won't do anything.

If you do desire to fully index the field however and you're not ingesting such structured data, you can do so with the TRANSFORM-className stanza in props.conf and a corresponding entry in transforms.conf.

Doing so however would add more "pressure" on the indexing side as it takes longer to write more data and this is probably not the solution you're looking for since you're describing the data as "heavy". If you're looking for extra bandwidth on the indexing side, let us know and we can offer some solutions. If you're experiencing slow search across this data, then we can offer other ideas.

0 Karma

a212830
Champion

Thanks. The AD feed is pretty busy, and I have a customer who wants to present a dashboard that does about 9 or 10 different panels, with different counts of fields and values. Unfortunately, the dashboard takes waaay to long, so I'm looking for ways to speed it up.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!