My alerts only allow me to choose trigger once for each result. 

Hi @BTB,

if you select Once (not "For each result"), you have only one file with all the results.

Ciao.

Giuseppe

I don't have that option. Would that happen to be in the advanced edit? 

Hi @BTB ,

as @PickleRick highlighted, you have the "Once" choice: it's visible in your screenshot, why you aren't able to select it?

If you cannot select it, I never saw this behaviour!

If you really aren't able to select "Once", open a ticket to Splunk Support.

Ciao.

Giuseppe

It is in the screenshot you pasted yourself. You have either "Once" or "for each result". In your screenshot the option "Once" was selected.

Once is the only option that I have. I don't know if this is due to a backend config or what but it's my only option. 

If you click on "For each result" you will be getting alerts for each result separately.

or

Thank you; and yes, I understand that. It's just that this is my only option "once per event" and I don't know if you have different options on your Splunk instance. If you do, then it's probably that I need to get with the team that administers this and ask them to add the other options. 

Isn't your alert a real-time one by any chance? (Which isn't a very good idea anyway).

No, it's batch analysis, a term coined by Bamm Visscher, to only look at results that happen every few days or weekly. I don't want it to hit once for every result. The whole ask of the post is to find out how I can get a report not to send if there aren't any results. That's really what I want to do. In alerts, I only can select "once per result," which doesn't work for me because I want them in a batch (many alerts in one alert, so to speak) I don't want it to fire every time there is a hit. This is used for high false positive alerts that we only want to look at every few days. I'm not sure how to make what I'm looking for much clearer than I have in my responses. I want to either have an alert that sends one alert with consolidated alerts for 3 days worth of alerts or I want to send a report with 3 days worth of consolidated search results in place of an alert but I don't want the report to send if there are 0 results. 

Yes, I understand. It's just that we're trying to find out why you don't have the "Once" option available. It is strange since I don't recall any capabilities limiting your choice here.

EDIT: The problem with doing it as a part of a non-alert scheduled search (a raport) is that while you can have at least two ways of sending data (either use map to spawn the sendemail command only if there are any results or use the sendresults addon), you'd still be operating on a per-event basis or have to bend over backwards heavily to render your events manually to a single result before sending them out; that's inconvenient big time).

So that's why I'm pushing for finding out why you can't alert for the whole result set once.

Okay; so if you have the option of something other than once per event then it's probably configured on the back end and I'll need to work with our team that manages that and make sure they enable that option. Just to confirm, you have that option and what version are you running? Also, Thank you so much for your help!!

The trick is I don't see any capability or other setting per role or user that would limit this option so that really seems unusual. If you have a realtime alert, you indeed have only the "per each result" option available but in this case it makes sense since you're constantly monitoring the incoming events and don't have a "full" result set. But with a scheduled alert you normally should have two options. At least I have never seen the "once" option being unavailable. I'm at 9.1.1 at the moment.

EDIT: Ok, wait a second.

Do a screenshot from your report definition screen where you have this once/each result part.