Splunk Search

CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions - query not working

jaibalaraman
Path Finder

Hi 

We have installed " Splunk for AWS", how the below alert is not working and search result turn up as " No result found " Capture.JPG 

`aws-cloudtrail-sourcetype` eventName=StopInstances OR eventName=RebootInstances OR eventName=TerminateInstances NOT errorCode   | rename "requestParameters.instancesSet.items{}.instanceId" AS instanceId |  stats values(instanceId) as instanceId count(instanceId) as count by awsRegion eventName eventTime userIdentity.arn eventID

 

0 Karma

kennetkline
Path Finder

I tested your query;  It works fine in my environment; I searched 7 days;

This is a search match problem;  Either in search your eventName has no matches;  Or one of the fields right of the by clause is null / empty.   Doing a group by on a field that is not populated 100% of the time recks havoc

I see you are searching 30 days so assuming data coming in:

1.  Check the Event Codes you are looking for show up at least once:

 

`aws-cloudtrail-sourcetype` 
| stats count by eventName

 

2.  do a verbose each and use the interesting fields; to check awsRegion, evenname, eventTime, userIdentity.arn eventID

are all populated 100% of the time;  otherwise try and remove some of them one by one in your search.  you either need evals to ensure no no fields right of by clause.  

We just started our aws journey.  Not sure if permissions or field alias could be causing empty field / null value.

I aways write my stuff one line at a time; check the fields right of the by clause;  else move them to the left with values(field) as field   and probably just keep the eventID / instanceID assuming they should be there always

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...