Hello Masters,

I've the index

index="xxx_generic_app_audit_prd" sourcetype="xxx:designeng:syslog" host="15.250.99.*" OR host="15.246.49.*" "*/testshare/APP1/OUT/*" AND "BANP3*" | search "Subsystem: XCOM" AND "Event Number: 01"

Log is coming as below:

Dec 5 14:30:43 Web ViewPoint Enterprise: Owner: XCOM Subsystem: XCOM Event Number: 01 Generation TIme: 2022-12-05 14:30:41 Text: XCOM: File Receive ended REQ 086694, Remote LU 10.38.46.122, File $PRD10.FILE01.C221205C Remotefile /testshare/APP1/OUT/C221205C 341797 bytes, 3336 records in 234564 microsec Event Type: Normal Process: \BANP3.$X2LD Content Standard: Subject: Custom Text: Source: WVPE Passvalue: 0 Node Name: \BANP3
host = 15.246.49.129
index = xxx_generic_app_audit_prd
source = /syslogdata/dns/test.internal.xxx/logs/2022-12-05/hp/15.246.49.129/2022-12-05-14_user.log
sourcetype = xxx:designeng:syslog

Where as once the input file is received, the application job should process this file and complete. The log for completed job as follows.

index="xxx_generic_app_audit_prd" sourcetype="xxx:designeng:syslog" host="15.250.44.*" OR host="15.246.44.*" "BANP3*" | search "Subsystem: 800" AND "Event Number: 42"

Dec 5 15:00:14 Web ViewPoint Enterprise:
Owner: DELUXE
Subsystem: 800
Event Number: 42
Generation TIme: 2022-12-05 15:00:13
Text: CBM042 Batch finished, Chg=B221205C, Recs=3336, Errs=0
Event Type: Normal
Process: \BANP3.$X3F1
Content Standard:
Subject:
Custom Text:
Source: WVPE
Passvalue: 0
Node Name: \BANP3
host = 15.246.44.129index = xxx_generic_app_audit_prd source = /syslogdata/dns/test.internal.xxx/logs/2022-12-05/hp/15.246.49.129/2022-12-05-14_user.log
sourcetype = xxx:designeng:syslog

My requirement is to marry both these logs and create a alert only when input file is received, where as no log for output file. Could you please assist