Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions - query not working

jaibalaraman
Path Finder
‎10-21-2020 03:26 PM

Hi 

We have installed " Splunk for AWS", how the below alert is not working and search result turn up as " No result found " Capture.JPG 

`aws-cloudtrail-sourcetype` eventName=StopInstances OR eventName=RebootInstances OR eventName=TerminateInstances NOT errorCode   | rename "requestParameters.instancesSet.items{}.instanceId" AS instanceId |  stats values(instanceId) as instanceId count(instanceId) as count by awsRegion eventName eventTime userIdentity.arn eventID

 

0 Karma
Reply

kennetkline
Path Finder
‎10-22-2020 12:17 PM

I tested your query;  It works fine in my environment; I searched 7 days;

This is a search match problem;  Either in search your eventName has no matches;  Or one of the fields right of the by clause is null / empty.   Doing a group by on a field that is not populated 100% of the time recks havoc

I see you are searching 30 days so assuming data coming in:

1.  Check the Event Codes you are looking for show up at least once:

 

`aws-cloudtrail-sourcetype` 
| stats count by eventName

 

2.  do a verbose each and use the interesting fields; to check awsRegion, evenname, eventTime, userIdentity.arn eventID

are all populated 100% of the time;  otherwise try and remove some of them one by one in your search.  you either need evals to ensure no no fields right of by clause.  

We just started our aws journey.  Not sure if permissions or field alias could be causing empty field / null value.

I aways write my stuff one line at a time; check the fields right of the by clause;  else move them to the left with values(field) as field   and probably just keep the eventID / instanceID assuming they should be there always

 

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...