I have a search that shows the number of logs from various indexes for the last 60 mins. I have this saved as an alert to email me IF the event count < 1 million. I keep getting an email every hour despite the trigger condition not being met as the logs total more than 1M for the last 60 mins. What am I doing wrong? I feel like I'm going crazy here.
![alt text][1]
**search**
| tstats count WHERE (index=cisco OR index=palo OR index=email) BY index
**results**
index count
cisco 3923160
palo 21720018
email 7583099
[1]: /storage/temp/251718-untitled.png
↧