Splunk Search

How do I search for changes in group membership data over time?

jturnervbs
Engager

I am collecting group membership data daily into Splunk and I need to know how to search for changes that occur over time.

For instance, I need to report on any groupmemberships that have been removed and I also need to report any new groupmemberships that have been added.

Each record/event has a datetime stamp and a uniqueID field.

My goal is to be able to run a search and see what changes have taken place over a specific span of time.

Your assistance is greatly appreciated.

Tags (4)

lguinn2
Legend

Here is something to get you started; it isn't exactly what you asked for, but you didn't give enough details about the data. Each event has a timestamp and a unique ID, but what would tell someone whether the group membership had been added or removed? Some example events would be helpful to the community...

The following search will identify the earliest time and the latest time that a uniqueID has been seen:

yoursearchhere
| stats earliest(_time) as First_Seen latest(_time) as Last_Seen by uniqueID
| fieldformat First_Seen=strftime("%x %X",First_Seen)
| fieldformat Last_Seen=strftime("%x %X",Last_Seen)

Note that this search will only find events within the timerange that you select. So if you select "Last 7 days", the search will not identify uniqueIDs that were first seen 14 days ago...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...