This worked for me on my updated version - thanks! ... View more

Hi @PickleRick , I completely follow you time sync (NTP) is crucial on all layers of data sources towards Splunk if correlations shall work and make sense. I've worked a lot with time on quite a few customers sites, and way too many don't have control over their time and timezone. To the question if this would make sense or not, there is no doubt to me, that it would, and for more than one reason: Troubleshooting (mainly) time skewing latency queuing Just to name a few. As of today it not possible to measure the latency between tiers, and you'll have to use other methods to find bottlenecks etc. Yes - additional fields will be needed, and multi-value is a no-go and a mess as I see it. The challenge is, as I see it: How to add additional fields to cooked data (which they will be on the first HFwd), do you know how to do that? Is it possible to create an app on ie. the indexer (last tier), that will add the arrival at the indexer. PS. I'm know this is the _indextime if, and only if there is no HFwd between the UF and the Indexer, else _indextime will be set at first HFwd, which is useless for this purpose. @isoutamo - Your idea about adding an idea at splunk is fine, but my experience with it is no so positive, it's too slow in my opinion. The smartest and fastest ideas comes here 👍   ... View more

I know why I added the idea😉 ... View more

This was how to change the timestamp, what about number formats? How and where do you change the thousand separator from comma to dot, and vise versa the decimal separator from dot to comma. See - that would change my (and a whole lot others) world to a new dimension! ... View more

When sizelimit is set to 10000, and we still only can get 1000 rows out of: | rest services/admin/LDAP-groups using SPL, and ldapsearch can easily provide the 10000. What is then wrong? We running v7.1.3 ... View more

Hi Skalli, I valid your points, but there are more constraints here - unfortunate. We're over capacity on our Index cluster, and we can't get more core to the existing servers, that's just the way it is. So I'm frankly looking for alternatives to how we can add more capacity while keeping the current servers. Bjarne ... View more

Same problem here, and turned it into Splunk Sweden, but have no reply yet! ... View more

Hi, try the limit= argument with ldapsearch https://docs.splunk.com/Documentation/SA-LdapSearch/latest/User/Theldapsearchcommand but as written before, as long as your LDAP server has a limit of 1000 (default for most of the LDAP implementations) you will not be able to retrieve more results. cheers, MuS ... View more