if I run the command on my HF is fine, it works. I configured the AD plugin to send events to the indexer. But if I run it on my SH doesn't work. I guess the send event function is not configured properly, by that I mean this tutorial : The following steps are the same for saving new alerts or editing existing alerts. From the Add Actions menu, select Log event. Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata. Event text Source and sourcetype Host Destination index for the log event. The main index is the default destination. You can specify a different existing index. ... View more

One more thing, how do I get this query : "| ldapsearch search="(objectClass=group)" attrs="*" | collect index=<ldapsearch> "in my SH ? I am following the tutorial ? The following steps are the same for saving new alerts or editing existing alerts. From the Add Actions menu, select Log event. Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata. Event text Source and sourcetype Host Destination index for the log event. The main index is the default destination. You can specify a different existing index.   How do I configure the event text to get the data in the SH ? all I get is some event like : " 5/3/24 10:00:01.000 AM   | ldapsearch search="(objectClass=group)" attrs="*" | collect index=<ldapsearch> host = SBOXAD01| SBOXAD02 source = alert: sourcetype = AD" ... View more