These dashboards require the Ldap Search support app running in the background doing queries. so you need this app installed on the searchhead as well. These dashboards do live queries to AD. These two links show help: The first one explains that you need the ldapsearch app. http://docs.splunk.com/Documentation/MSApp/1.3.0/MSInfra/TroubleshoottheSplunkAppforWindowsInfrastructure http://docs.splunk.com/Documentation/SA-LdapSearch/2.1.3/User/ConfiguretheSplunkSupportingAdd-onforActiveDirectory ... View more

Did you ever get to the bottom of this one? ... View more

Have you tried using the details at this URL? It documents the Geostats command and iplocation commands which you are trying to use. http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Geostats http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Iplocation Here is an example of a command doing what I believe you are trying to achieve. sourcetype=access_combined clientip=* status!=200 | dedup clientip, host | iplocation prefix=cip_ clientip | geostats latfield=cip_lat longfield=cip_lon count by status ... View more

Is there more than 1000 users in the Base DN you have configured? The error in SplunkD log looks like its searching your BASE DN of CN="cn=users,cn=accounts,dc=example,dc=com" and maybe not using the filter at all? Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned. In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator. In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit. Is there a typo in your filter at all? This page has some good examples http://blogs.splunk.com/2009/10/01/ldap-basefilter-examples/ Cheers Nick ... View more

You could tackle this by using a Reverse Proxy (Such as IIS or Apache) which has a customized logon page. That logon page would then Single Sign-in (SSO) you into Splunk, so you dont have to type a username in twice: Details on how to configure this are here http://docs.splunk.com/Documentation/Splunk/6.3.1511/Security/HowSplunkSSOworks Then when the user logs in, you could make it so they only get access to your specific App, or at least make it the default app depending on your use case and whether they would need to see other Apps or only this specific one. To display the currently logged in user try using the rest API, something like this. | rest /services/authentication/current-context | table username ... View more

Hi Amohlmann, Could this existing Splunk Answers help? https://answers.splunk.com/answers/231771/how-to-extract-age-from-a-birthday-field-before-th.html Cheers Nick ... View more