To analyze data that Open Raven discovers and generate custom reports, use the Splunk interface. You can find the Splunk interface under “Analytics” in the navigation menu on the left side.

To explore Data with Splunk, you will need to:

  1. Go to the “Search” section in “Analytics”
  2. Make Queries
  3. Explore Events
  4. Export Results

Let’s get started.

Step 1. Go to the “Search” section in “Analytics”

Click on “Analytics” from the left hand navigation menu in Open Raven. You will then be taken to the “Search” section of Splunk, where you can make common queries.

Step 2. Make Queries

Let’s take a look at two common SPL queries.

The first common query lets you create and export a list of all your AWS assets:

index=assets | dedup arn | table arn awsAccountId resourceType awsRegion

The second common query lets you create and export S3 bucket details:

index=assets resourceType="AWS::S3::Bucket" | rename supplementaryConfiguration.BucketPolicyStatus.isPublic AS Public supplementaryConfiguration.BucketLoggingConfiguration.loggingEnabled AS "Logging Enabled" | table arn awsRegion sizeInBytes "Logging Enabled" Public

Add either query into the text box on the “Search” page.

Next, pick a time range via the “TimePicker” menu. This will set a time boundary on your search. You can choose from:

  • Presets (use preset time ranges)
  • Relative (create a custom time range)
  • Date Range (define custom calendar dates)
  • Date & Time Range (define custom calendar dates and times)
  • Advanced (define the earliest and latest search times).

Click “Submit.”

Step 3. Explore Events

When the query is run (which may take several seconds), you will see a:

  1. Raw Events Timeline. This is a simple table graph that shows you the total event count for a specific period of time.
  1. Raw Events View. This shows you the raw details of all events including AWS Account ID, AWS Region, resource type, etc.
  1. Tabular Events View. For an AWS asset query, this view shows you the Amazon Resource Name (ARN), AWS Account ID, resource type, and AWS region.

For an S3 bucket query, this view shows you the ARN, AWS region, size in bytes, whether logging is enabled, and whether it’s public in an easy-to-see, table view.

Step 4. Export Results

To take your query results outside of Open Raven, you can export the Raw Events Timeline, Raw Events View, and Tabular Events View, as applicable.

To export results, click on the arrow (“Export”), which is located underneath the Raw Events Timeline, Raw Events View, and Tabular Events View. This is also where you can refresh each view.

Then, choose the format you want (CSV/XML/JSON), file name (if you leave this blank, the file will be automatically given the search job ID as the filename), and the number of results (if you leave this blank, all the results will be exported).

Click “Export.”


We're Here to Help!

Our team is happy to help answer questions, write Splunk queries, and provide additional analytics support. Please contact the support team via email at [email protected].