https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461084#M8184 <P>If you are correct, then the event_count should be 2.</P> Wed, 03 Jun 2020 11:11:13 GMT to4kawa 2020-06-03T11:11:13Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461075#M8175 <P>Hello Splunkers!</P> <P>I have an event A from source A and event B from source B.</P> <P>I need an alert when event B occurs without event A... Is this feasible? Could you please help me or post some suggestions?</P> <P>Thanks in Advance!</P> Tue, 08 Nov 2022 15:27:54 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461075#M8175 sarahnazzar 2022-11-08T15:27:54Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461076#M8176 <PRE><CODE>(index=A source=A event=A) OR (index=B source=B event=B) | eval common=coalesce(eventA,eventB) | stats count(eval(source="A")) as A count(eval(source="B")) as B by common | where B &gt; 0 AND A = 0 </CODE></PRE> Thu, 21 May 2020 09:22:11 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461076#M8176 to4kawa 2020-05-21T09:22:11Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461077#M8177 <P>Thanks for the response @to4kawa !</P> <P>In my case, event A and event B are the raw events, I don't have any fields extracted over there..</P> Thu, 21 May 2020 10:01:37 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461077#M8177 sarahnazzar 2020-05-21T10:01:37Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461078#M8178 <P>well, why don't you provide sample logs?</P> Thu, 21 May 2020 10:17:07 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461078#M8178 to4kawa 2020-05-21T10:17:07Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461079#M8179 <P>PFB sample logs ,</P> <P>EventA : Thu May 13 2020 00:15:05 mailsv1 sshd[4351]: Failed password for invalid user guest from 86.212.199.60 port 3771 ssh2</P> <P>Event B : Thu May 13 2020 01:16:05 mailsv1 sshd[46748]: Received disconnect from 86.212.199.60: disconnected by user</P> Thu, 21 May 2020 11:53:58 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461079#M8179 sarahnazzar 2020-05-21T11:53:58Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461080#M8180 <P>two events have same <CODE>ip address</CODE>.<BR /> Let's extract and collect them.</P> Thu, 21 May 2020 21:00:56 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461080#M8180 to4kawa 2020-05-21T21:00:56Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461081#M8181 <P>Hi.. in some cases the IPs are not same.. we need to filter using the string "Failed password" and "Received disconnect" and frame the query..</P> <P>Thanks for your response @to4kawa!</P> Wed, 27 May 2020 08:30:04 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461081#M8181 sarahnazzar 2020-05-27T08:30:04Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461082#M8182 <PRE><CODE>... | rex "(?&lt;status&gt;Failed password|Received disconnect)" | reverse | streamstats dc(status) as status_count | where status_count =1 AND status="Received disconnect" </CODE></PRE> <P>when event count &gt; 0 , fire alert. </P> Wed, 27 May 2020 08:59:04 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461082#M8182 to4kawa 2020-05-27T08:59:04Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461083#M8183 <P>Thanks for the response @to4kawa <BR /> I tried the using the query but its fetching event 2 even if event 1 occurred.</P> Tue, 02 Jun 2020 13:06:23 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461083#M8183 sarahnazzar 2020-06-02T13:06:23Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461084#M8184 <P>If you are correct, then the event_count should be 2.</P> Wed, 03 Jun 2020 11:11:13 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/461084#M8184 to4kawa 2020-06-03T11:11:13Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/619733#M14486 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/35136">@sarahnazzar</a>&nbsp;, did you manage to get this working? Your comment implies that it does not work and I have not been able to adapt it to my, very similar, context</P> Fri, 04 Nov 2022 21:27:07 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/619733#M14486 Yulworm 2022-11-04T21:27:07Z https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/619744#M14487 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/250974">@Yulworm</a>&nbsp;Please can you open a new providing more detail on your usecase?</P> Sat, 05 Nov 2022 07:03:16 GMT https://community.splunk.com/t5/Alerting/Suggestions-to-write-an-alert-if-event-B-occurs-without-event-A/m-p/619744#M14487 ITWhisperer 2022-11-05T07:03:16Z