Yes all event .but some are json format

Can you provide sample events?

Without actual sample events, this may not match your use case exactly, but it's a starting point.

I've used the following events to test:

2023-11-12 00:00:00 id=1 name=a hello how where
2023-11-12 00:01:00 id=2 name=b hello how where
2023-11-12 00:03:00 id=1 name=a completed
2023-11-12 00:10:00 id=3 name=c hello how where
2023-11-12 00:10:00 id=4 name=d hello how where
2023-11-12 00:14:00 id=3 name=c completed
2023-11-12 00:16:00 id=4 name=d completed

Save the following as an alert, and schedule it to run every minute:

((index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)) earliest=-6m@m latest=@m
| addinfo
| where _time<relative_time(info_max_time, "-5m@m") OR match(_raw, "completed")
| transaction keepevicted=t id name startswith="hello AND how AND where" endswith="completed"
| where (closed_txn==0 AND NOT match(_raw, "completed")) OR duration>300
| table _time id name

You can test the search using hard-coded, 6-minute timespans instead of earliest=-6m@m latest=@m. There will be a >1 minute delay before alerts are triggered, but the 6-minute time range allows us to cover the start time +/- 30 seconds of a sliding 5-minute window.

Using the sample data, alerts would be triggered at the following times:

Execution time: ~2023-11-12 00:07:00 - no completed event
=>

Execution time: ~2023-11-12 00:16:00 - completed event late (>5 minutes)
=>

Please help me on below things:

Requirements:

Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert.

Example :

We have one customerno.for the customer number ,I have to search whether 3 events meets logs available in the splunk log or not 

Ex: index= 1 source type ="abc" "s1 event received" and "s2 event received" and "s3 event received"  

When I search above query ,I will be getting like

S1 received for 12345 customer

S2 received for 12345 customer

S3 received for 12345 customer

If for one customer,all 3 event are met,next i want to search "created" message available in the splunk for same customer (12345)

Here "created" message index and source type is different

If "created" message not available for 12345 customer no after 5 min once all 3 events meets,I need alert.pls help on this query.

Could you please replicate and share the search the query in splunk 

Please help me on below things:

Requirements:

Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert.

Example :

We have one customerno.for the customer number ,I have to search whether 3 events meets logs available in the splunk log or not 

Ex: index= 1 source type ="abc" "s1 event received" and "s2 event received" and "s3 event received"  

When I search above query ,I will be getting like( format as below )

S1 received for 12345 customer,name=abz

S2 received for 12345 customer,name = abz

S3 received for 12345 customer,name =abz

If for one customer,all 3 event are met,next i want to search "created" message available in the splunk for same customer (12345)

Here "created" message index and source type is different

If "created" message not available for 12345 customer no after 5 min once all 3 events meets,I need alert with customer no.pls help on this query..if "created" message available after 5 min also need capture customer number.

Fyi : if we received "created" message in the log ,sample log will be (json format )

Log : created :{"customer no" : "12345",name :"kanunam"} like that.

Please please help me on search query.

Could you please anyone help me on this?