I have an alert setup looking for an event. What I am looking to do is have an alert email sent out if there is an event, but I want to limit it so that if there are say more than 100 events to not send out an alert.
Try something like this
Your base search looking for that event | stats count | where count>=0 AND count<100
Set your alert condition to "where count is greater than 0"
Hi @dmittel, There are a couple of options that might work depending on how you're trying to configure the alert behavior.
--Trigger only when the event count is lower than 100: You can look into setting up a trigger condition that evaluates how many results were returned from the search. I'm not sure what kind of alert you have, but here is some documentation that might help: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Alert/Definerolling-windowalerts#Set_up_trigger... http://docs.splunk.com/Documentation/Splunk/6.3.1511/Alert/Definescheduledalerts#Set_up_triggering_c...
--Reduce how often the alert triggers: You can look into throttling the alert to reduce the alert triggering frequency. Here is some documentation that might help: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Alert/ThrottleAlerts
Hope this helps! Let me know if you have further questions.
