So in AWS console the aws backup service starts daily a backup job and the resulted snapshot has a 7 day retention period and after 7 days the snapshot is deleted.
looking at the events generated in Splunk by this service from the point the backup job starts and completes successfully and until the deletion I have 3 types of events eventName=BackupJobStarted, eventName=BackupJobCompleted, eventName=BackupDeleted.
I need to filter only the events that have started, completed but have not been deleted after 7 days.
Started my query like this:
(index=main host=ip.us-west-2.compute.internal) (eventName=BackupDeleted OR eventName=BackupJobCompleted)
but I don't know if I should create a lookup table with the deleted events and and use that in my query to exclude the results that have been deleted after the retention period or a function to compare between the two events.
Please let me know if I was being explicit enough(English is not my native language).
... View more