All,
I have a stock install of Splunk for Nix running on 3k hosts or so. What I want to do in reasonable speed is compare to see if any users have been added with login privs locall to the Linux boxes.
The base search is this
index=main sourcetype="userswithloginprivs"
I am just not sure how on a host by host basis compare the results of this search to find change.
Any help here?