I am new to Splunk, very green. I have a DB search that I need to run and I have the search string I need but when I setup an alert, the alert is checking the results and sending them all to me. Basically, each time a new entry hits that table I need it to send me an email with just the new entrie(s). I imagine this is very simple to do but again, I am green. Here is my string.
index=main sourcetype=trims_tblXUsersRoles_audit xcomp_access_role_id=3 | stats values(user_id) as userID by Action_date,Action,xcomp_access_role_id,create_login
... View more