We found that unless you configure default to be your domain searches took forever, once we set default to our domain. Splunk are Linux guys and sometime forget that us windows guys assume domain name means domain name, not in this case. Where it says domain name=default, that's just a label. Leave domain name = default, your domain name goes in alternative domain name. Previously even with some other label configured and tested to point to our domain, the search would takes 15-20 minutes. Once changed, much less than 1 minute for large searches. ... View more

For those following this post and with alerts set, rather than double post check this post http://answers.splunk.com/answers/229277/splunk-support-for-active-directory-why-does-ldaps.html ... View more

We had same issue when we updated for 1.x to 2.1.0 of SA-LDAP. It isn't clear in the documentation but the name - default is just a label and you will probably have several labels. While the UI shows Domain name = default, this is just a label, your domain actually goes in the Alternative domain name. so: default = blah.blah.blah.us like default = ci.washington.dc.us This default label is what is used in searches if you do not put in any domain. Additionally, we have an internal domain name that we put a label of NETBiosName = WashingtonDC We also learned that it appears to be case sensitive in searching and added the label CAPsNETBiosName = WASHINGTONDC now when you search for WashingtonDC OR WASHINGTONDC OR ci.washington.dc.us you should get results. I was looking at this question because we also noticed that the time being returned is not parsing well, so beware of that. Now you will get times that look like 2015-04-08T16:07:57.041170Z when they had been returning 2015/04/08 01:36:00 PDT. ... View more

Any updates? ... View more