Alerting

Alert if event A occurs and there are no event B during that period?

Yulworm
Engager

I have a process that can generate one of two events:

  • A = the process could not be completed, will try again later
  • B = the process was completed

There can be some instability, so it is to be expected that the process can't be completed for a brief period but then is able to complete it. I want to send an alert only when there are just incomplete processes for the period.

query results Alert ?
A yes
A
B
no
B no
(none)

no

 

The question https://community.splunk.com/t5/Alerting/Alert-if-event-B-occurs-without-event-A/m-p/461075 seems to ask the same thing, but I am not sure it was answered.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
<your search>
| eval typeA=if(<your way of determining event is type A>,"A",null())
| eval typeB=if(<your way of determining event is type B>,"B",null())
| bin _time span=<your time period e.g. 1h>
| stats count(typeA) as A, count(typeB) as B by _time
| where A > 0 AND B = 0 OR isnull(B)

View solution in original post

0 Karma

Yulworm
Engager

@ITWhisperer I adapted your solution slightly by removing the time spans, since the alert will be configured with a time span, I felt it was redundent . Thanks for your help

"Fichier * transmis vers MFT" cf_space_name=staging
| rex field=_raw "Fichiers\s(?<BienOrNon>[a-zA-Z]+)\stransmis"
| eval typeError=if(BienOrNon=="non","E",null())
| eval typeGood=if(BienOrNon=="bien","G",null())
| stats count(typeError) as E, count(typeGood) as G
| where E > 0 AND (G = 0 OR isnull(G))

 

0 Karma

Yulworm
Engager

 

A

query = "Fichiers non"

2022-11-08 21:11:55.084 WARN 108 --- [TaskExecutor-74] c.d.p.a.mft.PersistenceFichierMft : [LOTS] temps=2022-11-08T16:11:55.084364, evenement=Sauvegarde du fichier MFT, lot_id=f2e08882-7766-4dbb-b0c8-78031bbf0abb, Fichiers non transmis vers MFT

B

query = "Fichiers bien"

2022-11-08 21:11:56.084 WARN 108 --- [TaskExecutor-74] c.d.p.a.mft.PersistenceFichierMft : [LOTS] temps=2022-11-08T16:11:56.084364, evenement=Sauvegarde du fichier MFT, lot_id=f2e08882-7766-4dbb-b0c8-78031bbf0abb, Fichiers bien transmis vers MFT

 

I can write queries to find events of type A and B

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<your search>
| eval typeA=if(<your way of determining event is type A>,"A",null())
| eval typeB=if(<your way of determining event is type B>,"B",null())
| bin _time span=<your time period e.g. 1h>
| stats count(typeA) as A, count(typeB) as B by _time
| where A > 0 AND B = 0 OR isnull(B)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you provide some sample events (anonymised of course)?

Also, do you already have a search / report which returns which events occurred in the period?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...