ericksonOng, i will contact you by email to see what the issue is. ... View more

Hi Eric, Could you please post your search query here, may be that would help sort out things ... View more

May be this answer will help https://answers.splunk.com/answers/331535/how-to-create-a-user-role-with-capabilities-to-man.html ... View more

Hello all, Unfortunately we are facing the same problem here. We have no results when using the dashboards on the path: active Directory > Users > User Reports > All (and all the others as well.). When running the query << | secrpt-all-users(DATASECLAB) >> we get the following error: External search command 'ldapsearch' returned error code 1. Script output = " ERROR Cannot find the configuration stanza for domain=** in ldap.conf. " And when looking at the sa-ldap-search.log we get the following: Level=ERROR, Pid=3524, File=search_command.py, Line=282, Abnormal exit: '*' Is this a known issue? We are using the latest version of ldapsearch. What should we do? Thank you in advance ... View more

This is not ideal, since it requires a new event to come through to 'refresh' the display Set up your real-time search for the last 24 hours, then filter it through something like this .... | eval interval=relative_time(_time,"@d") | eventstats latest(interval) as latest_interval | where interval == latest_interval AND latest_interval == relative_time(time(),"@d") | ... This'll only display events for the current day. John ... View more

Firstly to max out the indexer processor may have negative impacts on the performance. (By the way, that maxKBps relates to networking output from a universal forwarder or a splunk indexer forwarding but if you release any kind of cap on it on a work network you can risk flooding the network or blocking an indexer) There are different "queues" within Splunk that handle different jobs, as an example we're talking about things like; Line breaking Regex field extraction Timestamping Writing unwanted logs to null queue (sending them into the abyss) Perhaps some additional processing on something like windows event logs If a queue starts to block then it will delay or cause other events to drop depending on how they are being indexed. Also consider that Splunk can monitor and index local log files which allow it to index and read changes relatively fast when compared to a network connection where you may be forwarding events from another machine which will be restricted by the disk IO on the remote server (it may be in use or idle) and the network traffic. This is also over TCP which may require data to be re-transmitted if dropped en route. You may also be logging syslog from remote systems which may be coming in on an UDP connection which again causes another area for potential problems. I haven't really looked a great deal at your maths, assuming you've taken the right figures then I am sure it probably reflects a clean setup on a clean network and reading in local files, realistically the only way to really have any idea is to perform a proof of concept and actually gauge the performance of your systems indexing into Splunk as well as a realistic number of EPS. EDIT: Also, in relation to the quote above I believe although I can't say for sure that the point is that vendors who quote EPS figures are giving overly optimistic results, Splunk knows that data varies but it does have a very good indexing engine, to see what you can do with it then the best option is to try 🙂 ... View more

Hi, see mvappends, works fine for me to agrregate 2 MV fileds into a new field.. mvappend(X,...) This function takes an arbitrary number of arguments and returns a multivalue result of all the values. The arguments can be strings, multivalue fields or single value fields. ... | eval fullName=mvappend(initial_values, "middle value", last_values) ... View more