Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Keeping history of AD groups

Sasquatchatmars
Communicator
‎11-16-2020 11:36 PM

Hi all,

I have been making a search to know which account is in which groups using ldapsearch. I succesfully made the search. I will put the query below. Now my question is, is it possible to keep a history of the results for 30 days.

My search will be turned into a report which will run every day and I want to keep every result for 30 days. I was thinking to put everything in a pdf or csv report but I don't know how to delete it after 30 days. Otherwise i would need to send the report by mail but I really want to avoid that options if possible. Does someone know what the best option would be and how I could set it up. 

The query is :

| ldapsearch domain="default" search="(&(objectClass=group)(cn=*))"
| ldapgroup
| rex field=member_dn "CN=(?<member_name_full>[^,]*),"
| table cn,member_dn,member_type,member_name_full
| sort cn
| rename cn AS "Group Name", member_dn AS "Member DN", member_type AS "Member Type", member_name_full AS "Member Name"

 

Thank you.

Sasquatchatmars

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2020 05:57 AM

Put the results of the report into a summary index that has a retention time of 30 days.  Use the collect command to write the results.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2020 05:57 AM

Put the results of the report into a summary index that has a retention time of 30 days.  Use the collect command to write the results.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Sasquatchatmars
Communicator
‎11-17-2020 07:46 AM

Hi @richgalloway,

Thank you this worked!

Sasquatchatmars 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...