Sorry for not being more descriptive,  both searches has different indexes. i want to alert when search1 AND search2 result greater than zero.   how long is the time period involved- only one time in a day.  how often will you have this alert scheduled for (different from the first question!) - first and second searches can be done at same time, because right after few seconds of file received file will be processed is it a 1 to 1 relationship between "create" events and and "processing" events - yes  what's the maximum time difference between those two events - maximum 1 hr 1 minute does it matter more if a file gets created but not processed, or does that situation matter less, or is this actually the only thing that matters - yes its critical if file received( search1) and not processed (search2) do you already have the filename being extracted as a field in these two events - yes i have how often do you expect the pair of messages (daily?  hourly?  hundreds per second?) - daily once ... View more

search1: index="*" sourcetype="*" "Generating Event gz File for*" search2: index="*" sourcetype="*" "File Processed*" if search1 results greater than 0 then only search2 alert should trigger email alert. ... View more