More than one level is assumed, no one really has a flat organization. It doesn't make any difference to my advice. Missing data is also normal, but not your problem. In fact your dashboard might even inspire people to start fixing the source data. ... View more

I was hoping something like this would work, this was generated through the erex , but needs some adjustments i guess rex "(?i)windows\(?P[^\]+)" ... View more

I tried the options suggested on MY SEARCH HEADS, it is returning results with errors for my linux indexers-"Streamed search execute failed because: Error in 'geoip' command: command="geoip", Error: GeoIP database file '/Program Files/Splunk/etc/apps/maps/bin/GeoLiteCity.dat' does not exist!". My architecture has 2 Search Heads in Windows and 4 indexers- (2 Indexers windows and 2 indexers- Linux). Each of these indexers have its own sets of data. ie..no mirroring configured. hence I will have to availability of all indexers for a search operation. So here is what i did: 1. modify the Search heads & Indexers running on Windows- geoip.conf with following entry: database_file = /Program Files/Splunk/etc/apps/maps/bin/GeoLiteCity.dat Modify the indexer running Linux - geoip.conf with following entry: database_file = /opt/splunk/etc/apps/maps/bin/GeoLiteCity.dat However on my Search head, when I try to run syntax, for example: "index=vpn session disconnected | geoip IP " does return with events for my indexers running windows, but fails to provide events from indexers running on Linux. But if I run the syntax individually on the Indexer running with Linux, it does return events. Can someone help propose a solution for this ? ... View more

Does this still stand for the current version of the SA-ldapsearch? ... View more