Name:Unsuccessful Netbackup backups id:a34aae96-ccf8-4aaa-952c-3ea21444444f version:4 date:2024-11-14 author:David Dorsey, Splunk status:deprecated type:Hunting Description:This search gives you the hosts where a backup was attempted and then failed. Data_source:
search:`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE="An error occurred, failed to backup." | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`
how_to_implement:To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution. known_false_positives:None identified References: drilldown_searches:
: tags: analytic_story: - 'Monitor Backup Solution' asset_type:Endpoint product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint