All Apps and Add-ons

Monitor AWS backup retention period?

danielapopa
New Member

I am very new to Splunk search language and I still have a lot to learn.
AWS has it's own backup service that our infrastructure engineers have setup to run backups every day and delete snapshots after a 7 day retention period.
I need to create a query that will alert me when a snapshot has not been deleted after the 7 day retention period.
I started working on the query to list all created/deleted snapshots but I cannot seem to filter only the ones that have not been deleted after 7 days.

Can you please give me some ideas?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@danielapopa - Please give sample events from your data. I mean Splunk data events which shows backup is taken and backup is removed, etc.

0 Karma

danielapopa
New Member

So in AWS console the aws backup service starts daily a backup job and the resulted snapshot has a 7 day retention period and after 7 days the snapshot is deleted.
looking at the events generated in Splunk by this service from the point the backup job starts and completes successfully and until the deletion I have 3 types of events eventName=BackupJobStarted, eventName=BackupJobCompleted, eventName=BackupDeleted.
I need to filter only the events that have started, completed but have not been deleted after 7 days.
Started my query like this:
(index=main host=ip.us-west-2.compute.internal) (eventName=BackupDeleted OR eventName=BackupJobCompleted)
but I don't know if I should create a lookup table with the deleted events and and use that in my query to exclude the results that have been deleted after the retention period or a function to compare between the two events.
Please let me know if I was being explicit enough(English is not my native language).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...