I had a previous thread open, but since then I worked on the alert and refined some criteria. The alert is running off two indexes: ABC and windows (print logs). Basically what I want is, when the specific event from ABC happens AND right after (but no longer than 1 minute after) when the user prints the document “getContent.pdf,” I want it to alert. I got as far as joining the two logs together with the user field, but I am having trouble with the criteria, ONLY when the user prints the document after the specified ABC event, and I was also having trouble grouping by user.
See the screenshot below for example. The ABC event happens at 3:51:25 pm by user J0845, and soon after at 3:51:34pm the user prints getContent.pdf. That’s when I want it to alert.
Search:
(index=ABC Screen="DocDetl" Func="ViewImg" FileName="Your Number" UsrID=J0845) OR (sourcetype=WinPrintMon type=PrintJob user=J0845 "getContent.pdf")
![alt text][1]
[1]: /storage/temp/128253-capture.png
↧