Hi, I havethe following search index="windows" source=WinEventLog:Security ([| inputlookup windows_group_change_events | where group_action like "member added" or group_action like "member removed" | fields EventCode ]) NOT src_user=portalsync
| ldapfilter search="(&(objectClass=group)(cn=$Group_Name$))" attrs="distinguishedname,description, info"
| eval _raw = json_object("time", _time, "action_by", src_user, "event_code", EventCode, "group", mvindex(Security_ID, 2), "member", mvindex(Security_ID, 1),"orig_sourcetype", sourcetype, "orig_host", host, "dn", distinguishedName, "desc", description, "info", info )
| fields _time, _raw | collect index=windows_ad_summary addtime=0 source="windows_group_management" I try to save the group membership change events to a different index for long-term retention. I got the original idea from here: https://conf.splunk.com/files/2017/slides/using-splunk-enterprise-to-optimize-tailored-longterm-data-retention.pdf My problem is that this search always returns "no results". If I omit the "fields" and "collect" commands it returns results as intended. Also if I omit the "ldapfilter" command it works just fine. Do you have any idea what is the problem with the combination of "ldapfilter" and "fields"? Thanks, Laszlo Edit: I'm using Splunk 8.0.9
... View more