Splunk Search

Keeping history of AD groups

Sasquatchatmars
Communicator

Hi all,

I have been making a search to know which account is in which groups using ldapsearch. I succesfully made the search. I will put the query below. Now my question is, is it possible to keep a history of the results for 30 days.

My search will be turned into a report which will run every day and I want to keep every result for 30 days. I was thinking to put everything in a pdf or csv report but I don't know how to delete it after 30 days. Otherwise i would need to send the report by mail but I really want to avoid that options if possible. Does someone know what the best option would be and how I could set it up. 

The query is :

| ldapsearch domain="default" search="(&(objectClass=group)(cn=*))"
| ldapgroup
| rex field=member_dn "CN=(?<member_name_full>[^,]*),"
| table cn,member_dn,member_type,member_name_full
| sort cn
| rename cn AS "Group Name", member_dn AS "Member DN", member_type AS "Member Type", member_name_full AS "Member Name"

 

Thank you.

Sasquatchatmars

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Put the results of the report into a summary index that has a retention time of 30 days.  Use the collect command to write the results.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Put the results of the report into a summary index that has a retention time of 30 days.  Use the collect command to write the results.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Sasquatchatmars
Communicator

Hi @richgalloway,

Thank you this worked!

Sasquatchatmars 

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!