Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create Alert when event is ended

OnderSentira
Path Finder
‎12-20-2022 09:40 AM

Hi,

As soon as an event ends I want to create an alert and want to sent email with Shipment ID which is ended.

Example log:

EVENT GROUP A = Started en ended.

2022-12-20 10:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. ****
2022-12-20 10:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061015] ****
2022-12-20 11:06:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****

 

EVENT GROUP B = Started end not ended yet.

2022-12-20 13:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. ****
2022-12-20 13:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061016] ****



My SPL

 

index=app sourcetype=MySource host=MyHost "ShipmentTransferWorker"
| eval Shipment_Status =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL))
| transaction host startswith="Execution of Shipment Transfer Worker started" endswith="Execution of Shipment Transfer Worker ended" keepevicted=true 
| rex "Shipment Number: (?<ShipmentNumber>\d*)"
| eval Shipment_Status_Started =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", NULL)
| eval Shipment_Status_Ended = if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL) 
| table ShipmentNumber Shipment_Status_Started Shipment_Status_Ended

 

  
suppose that EVENT GROUP B ends with following event after 6 hours and then I want to create an Alert and mail with shipment number 000061016:

2022-12-20 19:43:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****



How can I create trigger and email once the event ends?

 

0 Karma
Reply

OnderSentira
Path Finder
‎12-20-2022 10:55 AM

I have mostly the following scenario. It is not always in sequential format.

A1 shipment started
A2 shipment started
A1 shipment ended
A2 shipment ended

0 Karma
Reply

Taruchit
Contributor
‎12-20-2022 10:35 AM

Hi @OnderSentira,

Is there a possibility that you have following scenario: -

A1 shipment started
A2 shipment started
A1 shipment ended
A2 shipment ended

Or its always in a sequential format: -

A1 shipment started
A1 shipment ended
A2 shipment started
A2 shipment ended

Thank you

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...