We have worked through the certificate problems, but still receive the error "No valid Splunk role is found in the local mapping or in the assertion." We have tried to follow the troubleshooting guide and have tried two different formats for the Splunk group mapping. 1) Plain Mapping -- saml_users to user splunk role. 2) DN style: "cn=keyscan,ou=dynamicgroup,ou=groups,dc=companydc" Neither of these styles seem to work and we have checked to make sure that the mapping has a trailing semicolon and is properly formatted in the authentication.conf. Any ideas? ... View more

I tried your solution, which makes perfect sense. Unfortunately, it still didn't index. I tried to replace the extraction with one coming from _raw, and it worked, so the plumbing is there. Any ideas on how to debug or other things to try? ... View more

Ok, I'm going to try this out. But what happened to the group in the REGEX? Help me understand why you removed the "? " syntax. How will the regex know where to extract the data? My path is d:\logs\ServiceName\logfile.txt ... View more

Well, maybe, but I'd still like to be able to try it out and see for myself. ... View more

We have many different services (approaching 100) and the first item our developers would search on is ServiceName. Nearly every event in this type would have this attribute. I have a search based extraction working, but have seen performance issue with broad based searches such as, "ServiceName=TestService" I'd like to at least try out the indexed field and test it to see the performance difference. ... View more