https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-Alert-when-event-is-ended/m-p/624885#M11217 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/239571">@OnderSentira</a>,</P><P>Is there a possibility that you have following scenario: -</P><P>A1 shipment started<BR />A2 shipment started<BR />A1 shipment ended<BR />A2 shipment ended</P><P>Or its always in a sequential format: -</P><P>A1 shipment started<BR />A1 shipment ended<BR />A2 shipment started<BR />A2 shipment ended</P><P>Thank you</P> Tue, 20 Dec 2022 18:35:33 GMT Taruchit 2022-12-20T18:35:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-Alert-when-event-is-ended/m-p/624878#M11216 <P>Hi,</P><P>As soon as an event ends I want to create an alert and want to sent email with Shipment ID which is ended.</P><P>Example log:</P><P>EVENT GROUP A = Started en ended.</P><LI-CODE lang="markup">2022-12-20 10:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. **** 2022-12-20 10:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061015] **** 2022-12-20 11:06:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****</LI-CODE><P><SPAN class=""><SPAN class=""><SPAN>&nbsp;</SPAN></SPAN></SPAN></P><P><SPAN class=""><SPAN class=""><SPAN>EVENT GROUP B = Started end not ended yet.<BR /></SPAN></SPAN></SPAN></P><LI-CODE lang="markup">2022-12-20 13:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. **** 2022-12-20 13:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061016] ****</LI-CODE><P><SPAN class=""><SPAN class=""><SPAN><BR /></SPAN></SPAN></SPAN><BR />My SPL</P><P>&nbsp;</P><LI-CODE lang="markup">index=app sourcetype=MySource host=MyHost "ShipmentTransferWorker" | eval Shipment_Status =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL)) | transaction host startswith="Execution of Shipment Transfer Worker started" endswith="Execution of Shipment Transfer Worker ended" keepevicted=true | rex "Shipment Number: (?&lt;ShipmentNumber&gt;\d*)" | eval Shipment_Status_Started =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", NULL) | eval Shipment_Status_Ended = if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL) | table ShipmentNumber Shipment_Status_Started Shipment_Status_Ended</LI-CODE><P>&nbsp;</P><P>&nbsp;&nbsp;<BR />suppose that <SPAN class=""><SPAN class=""><SPAN>EVENT GROUP B&nbsp;</SPAN></SPAN></SPAN>ends with following event after 6 hours and then I want to create an Alert and mail with shipment number <SPAN class=""><SPAN class=""><SPAN>000061016</SPAN></SPAN></SPAN>:<BR /><BR /></P><LI-CODE lang="markup">2022-12-20 19:43:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****</LI-CODE><P><SPAN class=""><SPAN class=""><SPAN><BR /><BR /></SPAN></SPAN></SPAN>How can I create trigger and email once the event ends?</P><P>&nbsp;</P> Tue, 20 Dec 2022 17:40:34 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-Alert-when-event-is-ended/m-p/624878#M11216 OnderSentira 2022-12-20T17:40:34Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-Alert-when-event-is-ended/m-p/624885#M11217 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/239571">@OnderSentira</a>,</P><P>Is there a possibility that you have following scenario: -</P><P>A1 shipment started<BR />A2 shipment started<BR />A1 shipment ended<BR />A2 shipment ended</P><P>Or its always in a sequential format: -</P><P>A1 shipment started<BR />A1 shipment ended<BR />A2 shipment started<BR />A2 shipment ended</P><P>Thank you</P> Tue, 20 Dec 2022 18:35:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-Alert-when-event-is-ended/m-p/624885#M11217 Taruchit 2022-12-20T18:35:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-Alert-when-event-is-ended/m-p/624887#M11218 <P>I have mostly the following scenario. It is not always in <SPAN>sequential&nbsp;</SPAN>format.<BR /><BR /><SPAN>A1 shipment started</SPAN><BR /><SPAN>A2 shipment started</SPAN><BR /><SPAN>A1 shipment ended</SPAN><BR /><SPAN>A2 shipment ended</SPAN></P> Tue, 20 Dec 2022 18:55:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-create-Alert-when-event-is-ended/m-p/624887#M11218 OnderSentira 2022-12-20T18:55:09Z