Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert if event A occurs and there are no event B during that period?

Yulworm
Engager
‎11-08-2022 10:56 AM

I have a process that can generate one of two events:

  • A = the process could not be completed, will try again later
  • B = the process was completed

There can be some instability, so it is to be expected that the process can't be completed for a brief period but then is able to complete it. I want to send an alert only when there are just incomplete processes for the period.

query results Alert ?
A yes
A
B		 no
B no
(none)

no

 

The question https://community.splunk.com/t5/Alerting/Alert-if-event-B-occurs-without-event-A/m-p/461075 seems to ask the same thing, but I am not sure it was answered.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2022 03:03 PM 
<your search>
| eval typeA=if(<your way of determining event is type A>,"A",null())
| eval typeB=if(<your way of determining event is type B>,"B",null())
| bin _time span=<your time period e.g. 1h>
| stats count(typeA) as A, count(typeB) as B by _time
| where A > 0 AND B = 0 OR isnull(B)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Yulworm
Engager
‎12-30-2022 07:03 AM

@ITWhisperer I adapted your solution slightly by removing the time spans, since the alert will be configured with a time span, I felt it was redundent . Thanks for your help

"Fichier * transmis vers MFT" cf_space_name=staging
| rex field=_raw "Fichiers\s(?<BienOrNon>[a-zA-Z]+)\stransmis"
| eval typeError=if(BienOrNon=="non","E",null())
| eval typeGood=if(BienOrNon=="bien","G",null())
| stats count(typeError) as E, count(typeGood) as G
| where E > 0 AND (G = 0 OR isnull(G))

 

0 Karma
Reply
Solved! Jump to solution

Yulworm
Engager
‎11-08-2022 02:16 PM

 

A

query = "Fichiers non"

2022-11-08 21:11:55.084 WARN 108 --- [TaskExecutor-74] c.d.p.a.mft.PersistenceFichierMft : [LOTS] temps=2022-11-08T16:11:55.084364, evenement=Sauvegarde du fichier MFT, lot_id=f2e08882-7766-4dbb-b0c8-78031bbf0abb, Fichiers non transmis vers MFT

B

query = "Fichiers bien"

2022-11-08 21:11:56.084 WARN 108 --- [TaskExecutor-74] c.d.p.a.mft.PersistenceFichierMft : [LOTS] temps=2022-11-08T16:11:56.084364, evenement=Sauvegarde du fichier MFT, lot_id=f2e08882-7766-4dbb-b0c8-78031bbf0abb, Fichiers bien transmis vers MFT

 

I can write queries to find events of type A and B

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2022 03:03 PM 
<your search>
| eval typeA=if(<your way of determining event is type A>,"A",null())
| eval typeB=if(<your way of determining event is type B>,"B",null())
| bin _time span=<your time period e.g. 1h>
| stats count(typeA) as A, count(typeB) as B by _time
| where A > 0 AND B = 0 OR isnull(B)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2022 11:26 AM

Can you provide some sample events (anonymised of course)?

Also, do you already have a search / report which returns which events occurred in the period?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...