Thanks for the info, The ticket may be closed now. ... View more

@tom_frotscher is correct. When you use | collect , the data is written to the Search Head's disk, and then read and stored where the index is defined. If you used the GUI to create the summary index, it got created on the Search Head, which is wrong: you should make sure that every index exists only on the Indexers. It is exceedingly rare that the speed of the Search Head's disk is given any consideration at all and it is quite common for a Search Head to have very much slower IOPS than we ensure that Indexers have and by default, you will make 2 writes to the Search Head. First, make sure that the summary index is on the Indexers. That should make a big difference. ... View more

Interesting solution with evaluating token in condition. Thanks! ... View more

What exactly do you mean by index in this case? Not the Splunk sense of index I guess? In general: yes you can collect data from Active Directory. Either by crafting your own powershell scripts for instance to make ldap queries. Or by using the ldapsearch add-on: https://splunkbase.splunk.com/app/1151/ ... View more