Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does INDEXED_EXTRACTIONS work for Active Directory

a212830
Champion
‎11-05-2016 03:09 PM

Hi,

I'm looking at options for improving some reporting for a heavy feed from AD. Is INDEXED_EXTRACTIONS supported for AD events?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-06-2016 06:06 AM

You have many options.

  1. Increase search speed by throwing faster / more disk at it.

  2. Create data models to drive the dashboard

  3. Create better / optimized searches.

  4. Reduce the panels (I try to forced everyone to put six panels max)

  5. Create a root dashboard search if applicable.

  6. "Power" the dashboard with accelerated searches where applicable or scheduled reports.

  7. "Power" the dashboard with summarized data.

Reply

sloshburch
Splunk Employee
Splunk Employee
‎11-07-2016 08:52 AM

I agree. Esp the data model (accelerated) as well as using post process searches in the dashboard.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-05-2016 06:35 PM

To my knowledge INDEXED_EXTRACTIONS only works on csv, psv, JSON, or xml data. It causes the KvP to be indexed which takes up more disk space but can provide a boost in speed at search time. If you're not indexing those types of data however, the setting won't do anything.

If you do desire to fully index the field however and you're not ingesting such structured data, you can do so with the TRANSFORM-className stanza in props.conf and a corresponding entry in transforms.conf.

Doing so however would add more "pressure" on the indexing side as it takes longer to write more data and this is probably not the solution you're looking for since you're describing the data as "heavy". If you're looking for extra bandwidth on the indexing side, let us know and we can offer some solutions. If you're experiencing slow search across this data, then we can offer other ideas.

0 Karma
Reply

a212830
Champion
‎11-05-2016 07:08 PM

Thanks. The AD feed is pretty busy, and I have a customer who wants to present a dashboard that does about 9 or 10 different panels, with different counts of fields and values. Unfortunately, the dashboard takes waaay to long, so I'm looking for ways to speed it up.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...