Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions - query not working

jaibalaraman
Path Finder
‎10-21-2020 03:26 PM

Hi 

We have installed " Splunk for AWS", how the below alert is not working and search result turn up as " No result found " Capture.JPG 

`aws-cloudtrail-sourcetype` eventName=StopInstances OR eventName=RebootInstances OR eventName=TerminateInstances NOT errorCode   | rename "requestParameters.instancesSet.items{}.instanceId" AS instanceId |  stats values(instanceId) as instanceId count(instanceId) as count by awsRegion eventName eventTime userIdentity.arn eventID

 

Labels (1)
Labels
0 Karma
Reply

kennetkline
Path Finder
‎10-22-2020 12:17 PM

I tested your query;  It works fine in my environment; I searched 7 days;

This is a search match problem;  Either in search your eventName has no matches;  Or one of the fields right of the by clause is null / empty.   Doing a group by on a field that is not populated 100% of the time recks havoc

I see you are searching 30 days so assuming data coming in:

1.  Check the Event Codes you are looking for show up at least once:

 

`aws-cloudtrail-sourcetype` 
| stats count by eventName

 

2.  do a verbose each and use the interesting fields; to check awsRegion, evenname, eventTime, userIdentity.arn eventID

are all populated 100% of the time;  otherwise try and remove some of them one by one in your search.  you either need evals to ensure no no fields right of by clause.  

We just started our aws journey.  Not sure if permissions or field alias could be causing empty field / null value.

I aways write my stuff one line at a time; check the fields right of the by clause;  else move them to the left with values(field) as field   and probably just keep the eventID / instanceID assuming they should be there always

 

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...