https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589470#M13607 <P>Start with the data. What events do you have ingested into splunk?</P> Thu, 17 Mar 2022 08:51:43 GMT ITWhisperer 2022-03-17T08:51:43Z https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589431#M13606 <P>Hello,</P> <P>I'd ask for a help on how to write a query where I need to get an alert "when there's a user added to a specific group and then removed from the group within 1 Hour time."</P> <P>I'm new to Splunk, any help appreciated.</P> Thu, 17 Mar 2022 04:57:14 GMT https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589431#M13606 kvm 2022-03-17T04:57:14Z https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589470#M13607 <P>Start with the data. What events do you have ingested into splunk?</P> Thu, 17 Mar 2022 08:51:43 GMT https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589470#M13607 ITWhisperer 2022-03-17T08:51:43Z https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589479#M13608 <P>I have Microsoft Teams data.</P> Thu, 17 Mar 2022 09:49:18 GMT https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589479#M13608 kvm 2022-03-17T09:49:18Z https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589486#M13609 <P>Can you share some sample events (anonymised)?</P> Thu, 17 Mar 2022 10:14:04 GMT https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589486#M13609 ITWhisperer 2022-03-17T10:14:04Z https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589492#M13610 <P>Here it is,</P><P>&nbsp;</P><P>{"AADGroupId": "3100c98b-8326-454458-003423", "CommunicationType": "Team", "CreationTime": "2022-03-17T08:11:51", "ExtraProperties": [], "Id": "9a706da1-cf0-c66248e", "ItemName": "xxxxxxx", "Members": [{"DisplayName": "def, abc", "Role": 1, "UPN": "abc@teams.com"}], "<STRONG>Operation": "MemberAdded",</STRONG> "OrganizationId": "e092a8e1", "RecordType": 25, "TeamGuid": "19:NMnHsgIOE_r6fULTi5XzydC9g1@thr.acv2", "TeamName": "xxxxxxx", "UserId": "abc@teams.com", "UserKey": "0b6cedcb-2a3386", "UserType": 0, "Version": 1, "Workload": "MicrosoftTeams"}</P><P>{"AADGroupId": "0158b60c-34ba9b", "CommunicationType": "Team", "CreationTime": "2022-03-17T08:39:08", "ExtraProperties": [], "Id": "24214374ab6", "ItemName": "yyyyyyyyyy", "Members": [{"DisplayName": "def, abc", "Role": 3, "UPN": "abc@teams.com"}], <STRONG>"Operation": "MemberRemoved",</STRONG> "OrganizationId": "e092ae38-85aa8", "RecordType": 25, "TeamGuid": "19:ELsX6SdpXH5241@thr.acv2", "TeamName": "yyyyyyyyyy", "UserId": "abc@teams.com", "UserKey": "5f4381bd-7ed505", "UserType": 0, "Version": 1, "Workload": "MicrosoftTeams"}</P> Thu, 17 Mar 2022 10:31:45 GMT https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589492#M13610 kvm 2022-03-17T10:31:45Z https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589496#M13611 <P>Assuming you have _time as the timestamp for the events, you can run a scheduled report over the last hour, say every 5 minutes and alert if you get any results</P><LI-CODE lang="markup">... your index | spath Operation | spath UserId | eval timeadded=if(Operation="MemberAdded",_time,null()) | eval timeremoved=if(Operation="MemberRemoved",_time,null()) | stats values(timeadded) as timeadded values(timeremoved) as timeremoved by UserId | where isnotnull(timeadded) AND isnotnull(timeremoved) and timeadded &lt;= timeremoved</LI-CODE> Thu, 17 Mar 2022 11:10:37 GMT https://community.splunk.com/t5/Alerting/How-to-create-time-based-alert/m-p/589496#M13611 ITWhisperer 2022-03-17T11:10:37Z