Monitor AWS backup retention period?

danielapopa · ‎06-05-2019

I am very new to Splunk search language and I still have a lot to learn.
AWS has it's own backup service that our infrastructure engineers have setup to run backups every day and delete snapshots after a 7 day retention period.
I need to create a query that will alert me when a snapshot has not been deleted after the 7 day retention period.
I started working on the query to list all created/deleted snapshots but I cannot seem to filter only the ones that have not been deleted after 7 days.

Can you please give me some ideas?

VatsalJagani · ‎06-05-2019

@danielapopa - Please give sample events from your data. I mean Splunk data events which shows backup is taken and backup is removed, etc.

danielapopa · ‎06-05-2019

So in AWS console the aws backup service starts daily a backup job and the resulted snapshot has a 7 day retention period and after 7 days the snapshot is deleted.
looking at the events generated in Splunk by this service from the point the backup job starts and completes successfully and until the deletion I have 3 types of events eventName=BackupJobStarted, eventName=BackupJobCompleted, eventName=BackupDeleted.
I need to filter only the events that have started, completed but have not been deleted after 7 days.
Started my query like this:
(index=main host=ip.us-west-2.compute.internal) (eventName=BackupDeleted OR eventName=BackupJobCompleted)
but I don't know if I should create a lookup table with the deleted events and and use that in my query to exclude the results that have been deleted after the retention period or a function to compare between the two events.
Please let me know if I was being explicit enough(English is not my native language).

Monitor AWS backup retention period?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk