I have created a scheduled search of the type:
index=_internal | head 100
Now, I have kept the cron schedule, such that this search will execute every 5 minutes. And the trigger mode is "For Each Result". So, for 100 results, 100 alerts must be fired.
Now, the alerts are only triggered for 5 minutes. So, let's say for the scheduled search with sid=sid1 has executed 50 alerts for 50 events. After 5 minutes, search with sid2 is triggered. Now, the alerts for sid1 are stopped, and it will continue for sid2.
Is this known behaviour of Splunk? Can we change this?
↧