I am trying to alert on missing AWS snapshots in a time window of the past 4 hours.
The collector pulls in around 50 events every hour, including the same past events, from days ago, rather than what actually occurred during the timestamp window. It marks them as having occurred at the time collected, rather than when the snapshot ran (start_time). Dedup gets rid of the multiple occurrences in a 4 hour window and leaves just the last collection - but still 50ish old events (including the most recent).
I either need to have it not re-collect old events that happened before my specified window, or to have it mark the timestamp according to the start_time in the AWS event. The format of the start_time is such that I don't think Splunk reads it in a way that I can say "where start_time<-4h". Maybe it can and I am doing it wrong... I am open to suggestions. Thanks.
↧