Hi @Splunk_Master01,

I suppose that you already have the back-up system logs.

At first, you have to analyze the logs of your back-up system finding the messages for start, end and status both for back-up and restore.

Then you have to define the back-up and restore time scheduling, and then create a search, schedule for e.g. one hour after the completion of the job.

For back-up, you could schedule a search e.g. every day (if your back-up frequency is 1 day).

So you should schedule an alert like the following.

index=your_index message IN ("back-up started", "back-up ended")
| stats earliest(_time) AS earliest latest(_time) AS latest values(message) AS message values(status) AS status
| eval duration=latest-earliest
| eval 
   earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
   latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

Then if you want an alert only for status="failed", you can add a filter at the end of your search.

At the same time you could create a dashboard (with the above search) to display all the back-up times, durations, and statuses.

For restore, the process is the same, the only difference is that you surely have a dayly back-up, instead restore is probably scheduled with a minor frequency, so you have to schedule your alert with the correct frequency, to avoid false positive messages.

Ciao.

Giuseppe