According to the amazing @davidpaper, the full details are:
Beginning with Splunk 6.5, the indexing threads wrongly attempt to authenticate during indexing, adding significant load on LDAP based external authentication services. This authentication incorrectly attempts to authenticate non-existing external auth users, in this case the splunk system user.
And can be found in Section 25 here:
https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/ConfigureLDAPwithSplunkWeb
The key is to look for “Operations error” in splunkd.log and that indicates the LDAP services are failing to keep up with the rate of queries.
... View more