Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

AWS Missing feeds

realtimetechnol
Explorer
‎06-10-2020 01:48 AM

Hi All,

I am in the process of creating an app for AWS sources and one of the objectives is to alert when an account stops sending events. As there are a number of sources per account I have settled on the one source that all accounts provide, CloudTrail. There may be a flaw in my logic but I will continue for now. I have looked at the TA's data however we aggregate into a single account so this would not be representative. The feeds are via either the AWS TA or HEC.

 

The problem I am having is to alert when the source stops, I have created a similar app to DMC i.e. a list of accounts feed into a lookup but the problem I am having is that unlike DMC there is no avg__tcp_kbps etc to understand if the feed has stopped. I also looked at taking the date_second, date_mday etc but need a way of updating the lookup csv with the values.

 

My questions is, has anyone done anything similar with AWS feeds or are there some values around time that I could use?

 

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎06-11-2020 04:27 PM

I might have the wrong end of the stick (apologies)...

We collect Cloudtrail (and others) from a number (120+) of accounts into a single index and extract the account id at index time. You can then use tstats to quickly look when an account was last seen...

something like this might do it:

#props.conf
[set_aws_account_id]
SOURCE_KEY = _raw
REGEX =  \"accountId\": \"([0-9]{12})\"
FORMAT = aws_account_id::$1

#transforms.conf
[aws:cloudtrail]
TRANSFORMS-get_aws_account_id=set_aws_account_id

 Then search:

| tstats latest(_time) as latest where index=<your_aws_index> earliest=-24h by aws_account_id
| eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎06-11-2020 04:27 PM

I might have the wrong end of the stick (apologies)...

We collect Cloudtrail (and others) from a number (120+) of accounts into a single index and extract the account id at index time. You can then use tstats to quickly look when an account was last seen...

something like this might do it:

#props.conf
[set_aws_account_id]
SOURCE_KEY = _raw
REGEX =  \"accountId\": \"([0-9]{12})\"
FORMAT = aws_account_id::$1

#transforms.conf
[aws:cloudtrail]
TRANSFORMS-get_aws_account_id=set_aws_account_id

 Then search:

| tstats latest(_time) as latest where index=<your_aws_index> earliest=-24h by aws_account_id
| eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...