All Apps and Add-ons

Monitor AWS backup retention period?

danielapopa
New Member

I am very new to Splunk search language and I still have a lot to learn.
AWS has it's own backup service that our infrastructure engineers have setup to run backups every day and delete snapshots after a 7 day retention period.
I need to create a query that will alert me when a snapshot has not been deleted after the 7 day retention period.
I started working on the query to list all created/deleted snapshots but I cannot seem to filter only the ones that have not been deleted after 7 days.

Can you please give me some ideas?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@danielapopa - Please give sample events from your data. I mean Splunk data events which shows backup is taken and backup is removed, etc.

0 Karma

danielapopa
New Member

So in AWS console the aws backup service starts daily a backup job and the resulted snapshot has a 7 day retention period and after 7 days the snapshot is deleted.
looking at the events generated in Splunk by this service from the point the backup job starts and completes successfully and until the deletion I have 3 types of events eventName=BackupJobStarted, eventName=BackupJobCompleted, eventName=BackupDeleted.
I need to filter only the events that have started, completed but have not been deleted after 7 days.
Started my query like this:
(index=main host=ip.us-west-2.compute.internal) (eventName=BackupDeleted OR eventName=BackupJobCompleted)
but I don't know if I should create a lookup table with the deleted events and and use that in my query to exclude the results that have been deleted after the retention period or a function to compare between the two events.
Please let me know if I was being explicit enough(English is not my native language).

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...