I am having no luck listing users' memberships with in a group, using ldapsearch. I am not an AD LDAP expert, either. Lets say I have a domain called Foo, and an OU (group) called Bar, with 10 users.  Each user has additional memberships to other groups. I am looking to list the membership attr for each user. I am starting with  | ldapsearch domain=default search="(&(objectClass=user))"... but I don't know what to add. Thank you 

Hello! I have recently just downloaded Splunk on my MAC for experimenting/practicing searching and dashboarding. I just picked a random csv file that has planetary information. One of the fields in my .csv file has a mix of numbers without commas, and three numbers that have a comma. EX: 59,800 I think this is causing those values to not show up in my visualization. Is there a way to remove said comma from the field value? I tried using this below in the source code under the visualization but it says it's an unknown option name. <option name="useThousandSeparators">false</option>  

Hi (お世話になっております) An application logs to "/var/log/messages". (ある既製のアプリケーションから、/var/log/messages にログが出力されています。) However, unfortunately, the delimiter is \x09. (但し、区切り文字が、\x09 となっています。) Is it possible to replace the delimiter with a space or comma on the "suplunk Universal forwarder" side and forward it? ("suplunk universal fowarder" 側で、区切り文字をスペースやカンマに置き換えてから転送することは可能でしょうか？) The version of 'splunk' is unknown. ("splunk"のバージョンは不明です。) The version of "suplunk Universal forwarder" is "9.0.1". ("suplunk universal fowarder"のバージョンは、"9.0.1"です。) "suplunk Universal forwarder" is installed in RHEL8.5. ("suplunk universal fowarder"は、RHEL8.5にインストールしています。) Thanks! (よろしくお願いいたします)

The UF service failed to start after a reboot on a Windows Server.   I've addressed that issue, but there are logs that were generated during the downtime that are not being forwarded.  Is there any way to force the entries up?

I'm really bad when it comes to join searches, though I've been doing this for years.  I'm able to find the list of orphaned searches using:   | rest /servicesNS/-/-/admin/directory count=0 splunk_server=<splunkserver> | rename eai:* as *, acl.* as * | eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y")) | sort type | eval sAMAccountName=owner | stats count by title orphaned sAMAccountName sharing type owner updated app disabled | search orphaned=1   and we have a summary index containing our LDAP users & managers for those users. Using the following search returns users and their managers:   index=metrics_summary source="LDAP*" source IN("LDAP GROUP USER DIVISION Summary Index Search" "LDAP_GROUP_USER_DIVISION_Summary_Index_Search" lookup_ldap_group_user_division) sAMAccountName=e* OR sAMAccountName=v* |table sAMAccountName displayName mail department division manager   But I haven't been able to join the two searches together to give me the manager name of the user w/ the orphan search. I've tried variations of the following:   | rest /servicesNS/-/-/admin/directory count=0 splunk_server=<splunkserver> | rename eai:* as *, acl.* as * | eval updated=strptime(updated,"%Y-%m-%dT%H:%M:%S%Z"), updated=if(isnull(updated),"Never",strftime(updated,"%d %b %Y")) | sort type | eval sAMAccountName=owner | stats count by title orphaned sAMAccountName sharing type owner updated app disabled | search orphaned=1 | join sAMAccountName type=outer max=0 [|search index=metrics_summary source="LDAP*" source IN("LDAP GROUP USER DIVISION Summary Index Search" "LDAP_GROUP_USER_DIVISION_Summary_Index_Search" lookup_ldap_group_user_division) | stats latest(_time) AS latest values(displayName) values(mail) values(distinguishedName) values(department) values(division) latest(userAccountControl) values(manager) by sAMAccountName | rename values(*) AS *, latest(*) AS *]   but this only comes back w/ results from the rest call.  I know I get results using the summary index search. How do I merge these?   Thanks