Good idea, but sadly that doesn't work either. On the chart, all points are assigned a value of _time=0. Would post a screenshot, but already exceeded my two img upload limit for this post. ... View more

1) SAML2.0 is pretty standard. What makes Splunk support only specific Identity Providers rather than all the standard SAML2.0 implementations out there?! Every vendors implement portion of SAML 2.0 and leave out the rest. We need to test / ensure that the IdP works with our code base. This will help us to meet our cloud related SLA to our customers. 2) Does Splunk Cloud support deep link URLs? Yes we do, We track the user’s link(example – a saved search link etc.) using the ‘relayState’ parameter of SAML. When a user logs in using SAML, we sent the user’s link to the IDP as a part of the SAML request in a SP initiated workflow. Once the user is authenticated, we get the relayState back in the SAML response and we redirect the user to the link. 3) Which default SAML binding does Splunk require HTTP POST Or REDIRECT Or ARTIFACT?! Does it support other bindings too? We support POST (6.3/6.4), REDIRECT (6.4.1) 4) How can I get the sp metadata from Splunk Cloud? Log in as a local user. Navigate to splunkweb’s endpoint - ‘https://:/en-us/saml/spmetadata' endpoint. This has Splunk’s SP metadata and you can copy the entire xml out. Note:- If saml is not configured, a template entity id called ‘SplunkentityId’ is generated as a placeholder. This entity id can be changed when SAML is configured. #thankyoueng ... View more

One way might be to have a periodic dump of Active directory users into a lookup file using the SA for LDAP. The dump would include all relevant information like the domain, username, and first & last names for the users. You could then use a lookup to resolve the field in the logs to what's in AD. Make sense? Can go into more detail if needed. ... View more