All Apps and Add-ons

Splunk App for AWS: How to monitor AWS snapshots and trigger an alert if there is no activity?

chrisprangnell
Path Finder

I want to create an AWS app alert

Pretty much as basic as this..

If no snapshots between this time and this time, send alert

pchen_splunk
Splunk Employee
Splunk Employee

You can search for snapshot events from " aws-config-index sourcetype="aws:config" ". In alert page, you can define interval and threshold to trigger the alert.

0 Karma

colbymahan
Explorer

I downvoted this post because it does not work due to inability to filter by aws start_time. the date time format is screwy and it collects all events rather than ones in the time range selected. thus i have 50ish historical events every hour instead of the 1 or 2 i am looking for that actually occured in the past hour.

0 Karma

colbymahan
Explorer

If there is a way to convert the timestamp on the event to reflect the start_time that AWS uses, that would probably solve the issue. I cannot find info on how to do this.

0 Karma

pchen_splunk
Splunk Employee
Splunk Employee

I don't understand your question. You aim to tigger alert if there is no snapshot for a while, do you? If it is, just use search " aws-config-index sourcetype="aws:config" ", and edit conditions in the alert dialog.

0 Karma

colbymahan
Explorer

The problem I am having is that ALL events come through every time, including from months ago, and are time-stamped by splunk as occurring at time of search. The start_time value is extracted, but as a regular value and the format is very strange ( start_time: 2016-03-19T07:01:05.000Z ) making it difficult to trigger for an event or lack of an event in a defined time range, like last 4 hours. Any tips on how to do this?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...