I have a simple search:
sourcetype=iis sc_status=500
The search returns results. I saved the search as an alert. The alert is cron scheduled to run every minute (Earliest: -1m@m , Cron Expression: */1 * * * * ). The only condition on the alert is that results must be greater than 0.
When I open the alert in search, it gives results. When I look at the jobs page, I clearly see it running the alert search. Further, the jobs page clearly shows that many of these entries have positive result counts. When I inspect the job, I see the alert settings all look valid and resultCount is indeed a positive number.
However, the triggered alerts page shows nothing - not a single entry there. So what am I missing? Any tips on how to troubleshoot something like this?
... View more