Just wanted to provide an update showing the solution I found with the help of a co-worker. I did a count BY all the fields I wanted then I created a new field called uniqueID that is a md5 hash of the fields MERCHANTNAME, LOGO, MERCHANTID. Then I set the alert to send an email for each result and throttled it for 8 hours based on the new field "uniqueID" that way when the same combination of fields I wanted came out within 8 hours the md5 hash would be the same and no alert would trigger but if a new one came out we'd still get alerted because the md5 hash would change. I'm also going to add another field called alertState that would still trigger if all of a sudden the count went above 1500 within that same 8 hour throttle. (| eval alertState=if(Count>1500, "OVER1500", "OVER150")) that I will add to the md5 conditions. Below is a sample of the search and I hope this helps someone else!~ index=card sourcetype=epoctd RESPCODE=77 RESPSOURCE=0 | lookup AnalystByLogo.CSV "LOGO" OUTPUT "AnalystName" | stats count by LOGO, MERCHANTID, CARDACCEPTNAME, MERCHANTTYPE, ROUTINGPREFIX, AnalystName | eval uniqueID=md5(MERCHANTID . LOGO . CARDACCEPTNAME) | where Count>150
... View more