Getting Data In

Does INDEXED_EXTRACTIONS work for Active Directory

a212830
Champion

Hi,

I'm looking at options for improving some reporting for a heavy feed from AD. Is INDEXED_EXTRACTIONS supported for AD events?

0 Karma

jkat54
SplunkTrust
SplunkTrust

You have many options.

  1. Increase search speed by throwing faster / more disk at it.

  2. Create data models to drive the dashboard

  3. Create better / optimized searches.

  4. Reduce the panels (I try to forced everyone to put six panels max)

  5. Create a root dashboard search if applicable.

  6. "Power" the dashboard with accelerated searches where applicable or scheduled reports.

  7. "Power" the dashboard with summarized data.

sloshburch
Splunk Employee
Splunk Employee

I agree. Esp the data model (accelerated) as well as using post process searches in the dashboard.

0 Karma

jkat54
SplunkTrust
SplunkTrust

To my knowledge INDEXED_EXTRACTIONS only works on csv, psv, JSON, or xml data. It causes the KvP to be indexed which takes up more disk space but can provide a boost in speed at search time. If you're not indexing those types of data however, the setting won't do anything.

If you do desire to fully index the field however and you're not ingesting such structured data, you can do so with the TRANSFORM-className stanza in props.conf and a corresponding entry in transforms.conf.

Doing so however would add more "pressure" on the indexing side as it takes longer to write more data and this is probably not the solution you're looking for since you're describing the data as "heavy". If you're looking for extra bandwidth on the indexing side, let us know and we can offer some solutions. If you're experiencing slow search across this data, then we can offer other ideas.

0 Karma

a212830
Champion

Thanks. The AD feed is pretty busy, and I have a customer who wants to present a dashboard that does about 9 or 10 different panels, with different counts of fields and values. Unfortunately, the dashboard takes waaay to long, so I'm looking for ways to speed it up.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...