Hi,
I'm seeing a weird issue. We have a setup of three search head pools. One user has a real-time search creating an alert. These alerts are sending out three emails, one from each search head, for an individual event. When I inspect the search in question, I see that it has four instances running.
Is this normal or have I configured something wrong?
I'm also unsure as to whether I should set the "Alert mode" to "Once per search" or "Once per result". It was set to "Once per result" when this happened.
If you configure the realtime search as described here: http://answers.splunk.com/answers/83305/shared-realtime-searches-possible/83308
... then you should only end up with one "instance" of the search running across your entire pool.
I'm assuming here that you have "three search heads in a pool" and not "three [distinct] search head pools".
The link you posted doesn't help at all.
OP is running a scheduled search with an email alert.
There are work arounds ( http://answers.splunk.com/answers/127719/search-pooling-and-alerting ) but this totally changes usage and architecture of how users interactive with splunk.
I've run into this issue today and have yet to find a solution.