I am very new to Splunk search language and I still have a lot to learn.
AWS has it's own backup service that our infrastructure engineers have setup to run backups every day and delete snapshots after a 7 day retention period.
I need to create a query that will alert me when a snapshot has not been deleted after the 7 day retention period.
I started working on the query to list all created/deleted snapshots but I cannot seem to filter only the ones that have not been deleted after 7 days.
Can you please give me some ideas?
@danielapopa - Please give sample events from your data. I mean Splunk data events which shows backup is taken and backup is removed, etc.
So in AWS console the aws backup service starts daily a backup job and the resulted snapshot has a 7 day retention period and after 7 days the snapshot is deleted.
looking at the events generated in Splunk by this service from the point the backup job starts and completes successfully and until the deletion I have 3 types of events eventName=BackupJobStarted, eventName=BackupJobCompleted, eventName=BackupDeleted.
I need to filter only the events that have started, completed but have not been deleted after 7 days.
Started my query like this:
(index=main host=ip.us-west-2.compute.internal) (eventName=BackupDeleted OR eventName=BackupJobCompleted)
but I don't know if I should create a lookup table with the deleted events and and use that in my query to exclude the results that have been deleted after the retention period or a function to compare between the two events.
Please let me know if I was being explicit enough(English is not my native language).