I created a simple alert based upon an eventtype and the tag 'not-expected'.
source=[the log file containing the event] AND eventtype=[the eventtype] AND tag=not-expected
The alert worked fine.
I have since changed the eventtype search string to exclude certain events (which have tag=expected) using AND NOT, but am still getting alerts for one of the events even though the tag for that event was changed to 'expected'
I can't see any reason in my related eventtypes, search strings, or alert settings for why I am still getting alerts for this now 'expected' event.
Are there other reasons such as caching which may cause an alert to continue to fire on an event?
... View more