Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ldapsearch query speed difference

omershira
Explorer
‎04-28-2021 07:09 AM

Greetings,

We have a Splunk Environment with 3 Search Head in the SHC.

We try to perform an ldapsearch command using the SA-LDAPsearch 3.0.2 add-on.

The search takes a devastating 18-19 seconds to load on the first and third Search Heads but on the second one it takes 3-4 seconds.

We inspected the job and saw that according to the search.log the second SH indeed takes milliseconds between each action meanwhile the other two take 2-3 seconds between each internal step.

We tried to speed up the ldapsearch with the "attrs" and "basedn" settings but even though it helped a little bit, 19 seconds is still too much time...

The three search heads have identical resources and settings.

What can be the cause of this major difference and what can I do to speed-up the ldapsearch or in what way can I debug it better?

 

Thanks,

OmerShira

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...