Re: How do I search for changes in group membershi...

jturnervbs · ‎03-20-2015

I am collecting group membership data daily into Splunk and I need to know how to search for changes that occur over time.

For instance, I need to report on any groupmemberships that have been removed and I also need to report any new groupmemberships that have been added.

Each record/event has a datetime stamp and a uniqueID field.

My goal is to be able to run a search and see what changes have taken place over a specific span of time.

Your assistance is greatly appreciated.

lguinn2 · ‎03-22-2015

Here is something to get you started; it isn't exactly what you asked for, but you didn't give enough details about the data. Each event has a timestamp and a unique ID, but what would tell someone whether the group membership had been added or removed? Some example events would be helpful to the community...

The following search will identify the earliest time and the latest time that a uniqueID has been seen:

yoursearchhere
| stats earliest(_time) as First_Seen latest(_time) as Last_Seen by uniqueID
| fieldformat First_Seen=strftime("%x %X",First_Seen)
| fieldformat Last_Seen=strftime("%x %X",Last_Seen)

Note that this search will only find events within the timerange that you select. So if you select "Last 7 days", the search will not identify uniqueIDs that were first seen 14 days ago...

How do I search for changes in group membership data over time?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation