Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I search for changes in group membership data over time?

jturnervbs
Engager
‎03-20-2015 09:57 AM

I am collecting group membership data daily into Splunk and I need to know how to search for changes that occur over time.

For instance, I need to report on any groupmemberships that have been removed and I also need to report any new groupmemberships that have been added.

Each record/event has a datetime stamp and a uniqueID field.

My goal is to be able to run a search and see what changes have taken place over a specific span of time.

Your assistance is greatly appreciated.

Tags (4)
Reply

lguinn2
Legend
‎03-22-2015 03:47 PM

Here is something to get you started; it isn't exactly what you asked for, but you didn't give enough details about the data. Each event has a timestamp and a unique ID, but what would tell someone whether the group membership had been added or removed? Some example events would be helpful to the community...

The following search will identify the earliest time and the latest time that a uniqueID has been seen:

yoursearchhere
| stats earliest(_time) as First_Seen latest(_time) as Last_Seen by uniqueID
| fieldformat First_Seen=strftime("%x %X",First_Seen)
| fieldformat Last_Seen=strftime("%x %X",Last_Seen)

Note that this search will only find events within the timerange that you select. So if you select "Last 7 days", the search will not identify uniqueIDs that were first seen 14 days ago...

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...