Splunk Enterprise Security

How to create Alert when event is ended

OnderSentira
Path Finder

Hi,

As soon as an event ends I want to create an alert and want to sent email with Shipment ID which is ended.

Example log:

EVENT GROUP A = Started en ended.

2022-12-20 10:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. ****
2022-12-20 10:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061015] ****
2022-12-20 11:06:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****

 

EVENT GROUP B = Started end not ended yet.

2022-12-20 13:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. ****
2022-12-20 13:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061016] ****



My SPL

 

index=app sourcetype=MySource host=MyHost "ShipmentTransferWorker"
| eval Shipment_Status =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL))
| transaction host startswith="Execution of Shipment Transfer Worker started" endswith="Execution of Shipment Transfer Worker ended" keepevicted=true 
| rex "Shipment Number: (?<ShipmentNumber>\d*)"
| eval Shipment_Status_Started =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", NULL)
| eval Shipment_Status_Ended = if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL) 
| table ShipmentNumber Shipment_Status_Started Shipment_Status_Ended

 

  
suppose that EVENT GROUP B ends with following event after 6 hours and then I want to create an Alert and mail with shipment number 000061016:

2022-12-20 19:43:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****



How can I create trigger and email once the event ends?

 

Labels (1)
0 Karma

OnderSentira
Path Finder

I have mostly the following scenario. It is not always in sequential format.

A1 shipment started
A2 shipment started
A1 shipment ended
A2 shipment ended

0 Karma

Taruchit
Contributor

Hi @OnderSentira,

Is there a possibility that you have following scenario: -

A1 shipment started
A2 shipment started
A1 shipment ended
A2 shipment ended

Or its always in a sequential format: -

A1 shipment started
A1 shipment ended
A2 shipment started
A2 shipment ended

Thank you

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...