We use Splunk to monitor our LDAP Cluster which receives millions of requests per day. We use Splunk searches and Splunk dashboards to monitor the systems in real time, and to check historic events. The trouble is, these searches are very, very slow.
We use these searches and dashboards multiple times per day, and the slowness is frustrating. Is there any way to accelerate a dashboard that makes use of the transaction parameter?
LDAP requires the use of Transactions, because one request will always span multiple lines, like this:
slapd[9876]: conn=123456 fd=48 ACCEPT from IP=192.168.1.100:38958 (IP=0.0.0.0:636)
slapd[9876]: conn=123456 fd=48 TLS established tls_ssf=128 ssf=128
slapd[9876]: conn=123456 op=0 BIND dn="" method=128
slapd[9876]: conn=123456 op=0 RESULT tag=97 err=0 text=
slapd[9876]: conn=123456 op=1 SRCH base="ou=Group,ou=system,ou=Host,o=ldapsvc,dc=example,dc=org" scope=2 deref=0 filter="(uid=stefanl)"
...
slapd[9876]: conn=123456 op=2 UNBIND
slapd[9876]: conn=123456 fd=48 closed
slapd[46834]: conn=123456 fd=48 closed
Therefore, any useful searches needs to use a transaction , like this:
host=192.168.5.55/24 process=slapd | transaction conn startswith="ACCEPT from" endswith="closed" maxspan=10m
... View more