Alerting

Alert if event A occurs and there are no event B during that period?

Yulworm
Engager

I have a process that can generate one of two events:

  • A = the process could not be completed, will try again later
  • B = the process was completed

There can be some instability, so it is to be expected that the process can't be completed for a brief period but then is able to complete it. I want to send an alert only when there are just incomplete processes for the period.

query results Alert ?
A yes
A
B
no
B no
(none)

no

 

The question https://community.splunk.com/t5/Alerting/Alert-if-event-B-occurs-without-event-A/m-p/461075 seems to ask the same thing, but I am not sure it was answered.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
<your search>
| eval typeA=if(<your way of determining event is type A>,"A",null())
| eval typeB=if(<your way of determining event is type B>,"B",null())
| bin _time span=<your time period e.g. 1h>
| stats count(typeA) as A, count(typeB) as B by _time
| where A > 0 AND B = 0 OR isnull(B)

View solution in original post

0 Karma

Yulworm
Engager

@ITWhisperer I adapted your solution slightly by removing the time spans, since the alert will be configured with a time span, I felt it was redundent . Thanks for your help

"Fichier * transmis vers MFT" cf_space_name=staging
| rex field=_raw "Fichiers\s(?<BienOrNon>[a-zA-Z]+)\stransmis"
| eval typeError=if(BienOrNon=="non","E",null())
| eval typeGood=if(BienOrNon=="bien","G",null())
| stats count(typeError) as E, count(typeGood) as G
| where E > 0 AND (G = 0 OR isnull(G))

 

0 Karma

Yulworm
Engager

 

A

query = "Fichiers non"

2022-11-08 21:11:55.084 WARN 108 --- [TaskExecutor-74] c.d.p.a.mft.PersistenceFichierMft : [LOTS] temps=2022-11-08T16:11:55.084364, evenement=Sauvegarde du fichier MFT, lot_id=f2e08882-7766-4dbb-b0c8-78031bbf0abb, Fichiers non transmis vers MFT

B

query = "Fichiers bien"

2022-11-08 21:11:56.084 WARN 108 --- [TaskExecutor-74] c.d.p.a.mft.PersistenceFichierMft : [LOTS] temps=2022-11-08T16:11:56.084364, evenement=Sauvegarde du fichier MFT, lot_id=f2e08882-7766-4dbb-b0c8-78031bbf0abb, Fichiers bien transmis vers MFT

 

I can write queries to find events of type A and B

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<your search>
| eval typeA=if(<your way of determining event is type A>,"A",null())
| eval typeB=if(<your way of determining event is type B>,"B",null())
| bin _time span=<your time period e.g. 1h>
| stats count(typeA) as A, count(typeB) as B by _time
| where A > 0 AND B = 0 OR isnull(B)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you provide some sample events (anonymised of course)?

Also, do you already have a search / report which returns which events occurred in the period?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...