How can I detect change using userswithloginprivs?



I have a stock install of Splunk for Nix running on 3k hosts or so. What I want to do in reasonable speed is compare to see if any users have been added with login privs locall to the Linux boxes.

The base search is this
index=main sourcetype="userswithloginprivs"

I am just not sure how on a host by host basis compare the results of this search to find change.

Any help here?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!