Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I search for changes in group membership data over time?

jturnervbs
Engager
‎03-20-2015 09:57 AM

I am collecting group membership data daily into Splunk and I need to know how to search for changes that occur over time.

For instance, I need to report on any groupmemberships that have been removed and I also need to report any new groupmemberships that have been added.

Each record/event has a datetime stamp and a uniqueID field.

My goal is to be able to run a search and see what changes have taken place over a specific span of time.

Your assistance is greatly appreciated.

Tags (4)
Reply

lguinn2
Legend
‎03-22-2015 03:47 PM

Here is something to get you started; it isn't exactly what you asked for, but you didn't give enough details about the data. Each event has a timestamp and a unique ID, but what would tell someone whether the group membership had been added or removed? Some example events would be helpful to the community...

The following search will identify the earliest time and the latest time that a uniqueID has been seen:

yoursearchhere
| stats earliest(_time) as First_Seen latest(_time) as Last_Seen by uniqueID
| fieldformat First_Seen=strftime("%x %X",First_Seen)
| fieldformat Last_Seen=strftime("%x %X",Last_Seen)

Note that this search will only find events within the timerange that you select. So if you select "Last 7 days", the search will not identify uniqueIDs that were first seen 14 days ago...

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...