- Community
- :
- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: How to create Alert when event is ended
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create Alert when event is ended
Hi,
As soon as an event ends I want to create an alert and want to sent email with Shipment ID which is ended.
Example log:
EVENT GROUP A = Started en ended.
2022-12-20 10:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. ****
2022-12-20 10:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061015] ****
2022-12-20 11:06:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****
EVENT GROUP B = Started end not ended yet.
2022-12-20 13:43:04.468 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker started. ****
2022-12-20 13:43:04.471 +01:00 [ShipmentTransferWorker] **** [Shipment Number: 000061016] ****
My SPL
index=app sourcetype=MySource host=MyHost "ShipmentTransferWorker"
| eval Shipment_Status =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL))
| transaction host startswith="Execution of Shipment Transfer Worker started" endswith="Execution of Shipment Transfer Worker ended" keepevicted=true
| rex "Shipment Number: (?<ShipmentNumber>\d*)"
| eval Shipment_Status_Started =if(like(_raw, "%Execution of Shipment Transfer Worker started%"),"Started", NULL)
| eval Shipment_Status_Ended = if(like(_raw, "%Execution of Shipment Transfer Worker ended%"), "Ended", NULL)
| table ShipmentNumber Shipment_Status_Started Shipment_Status_Ended
suppose that EVENT GROUP B ends with following event after 6 hours and then I want to create an Alert and mail with shipment number 000061016:
2022-12-20 19:43:19.097 +01:00 [ShipmentTransferWorker] **** Execution of Shipment Transfer Worker ended ****
How can I create trigger and email once the event ends?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have mostly the following scenario. It is not always in sequential format.
A1 shipment started
A2 shipment started
A1 shipment ended
A2 shipment ended
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @OnderSentira,
Is there a possibility that you have following scenario: -
A1 shipment started
A2 shipment started
A1 shipment ended
A2 shipment ended
Or its always in a sequential format: -
A1 shipment started
A1 shipment ended
A2 shipment started
A2 shipment ended
Thank you
Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More
Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)
Tech Talk | One Log to Rule Them All
