I am trying to get Splunk Enterprise to alert on changes to a security group with information that is being fed in from an AWS account using the Splunk App for AWS. I have the information being presented into Splunk with the following search:
aws-description-resource((aws_account_id="*"), (region="**") , "ec2_security_groups")` | spath path=rules{} output=ingress | spath path=rules_egress{} output=egress | stats count(ingress) as ingress, count(egress) as egress | eval count=ingress+egress | nadefault count
This results in a data set that looks like this:
ingress egress count
302 302 604
Now the problem with this is I am trying to get an alert generated every time the amount of security group rules changes. This information is then being fed into the Slack Notification App in order to produce a Splunk Bot post in a particular Channel. So far I have not been able to do this with any combination of custom alerts and searches. Any help with this would be greatly appreciated as this is a necessary integration for our organization.
↧