Answer by warren for What’s the best strategy to monitor Splunk log for missing event successful?

Given the small sample you gave us, this should do what you’re looking for (without using transaction):

index=ndx sourcetype=srctp STR=* (MIT="Local Step started" OR MIT="Copy Step successful")
| eval status=if(match(MIT,"started"),"begin","end")
| stats values(status) as status by STR
| where mvcount(status)<2

What this does:

only look for entries where there is a STR values, and MIT is equal to "Local Step started" OR "Copy Step successful"
because we know MIT only ever contains "Local Step started" OR "Copy Step successful", set status to "begin" if "started" is found, and "end" otherwise
stats values(status), grouping by STR
filter all the values()‘d entries by only those that have one entry (either a "begin" or an "end")

The result should be all STRs for which there was no successful completion

from User warren – Stack Overflow https://stackoverflow.com/questions/76066793/whats-the-best-strategy-to-monitor-splunk-log-for-missing-event-successful/76103248#76103248
via IFTTT

merikebi

warrenmyers.com