https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572975#M13190 <P>Search this and look for field result_count.</P><LI-CODE lang="markup">index=_internal sourcetype=scheduler status=success savedsearch_name="Potential Brute Force Attack - 4 or more login attempts in 5 mins"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Fri, 29 Oct 2021 14:39:24 GMT somesoni2 2021-10-29T14:39:24Z https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572829#M13186 <P><FONT face="trebuchet ms,geneva">Hello Splunk Community !</FONT></P><P><FONT face="trebuchet ms,geneva">I have an alert setup to report failed login attempts by a user &gt; 4 times in 5 minutes. </FONT><BR /><FONT face="trebuchet ms,geneva">Alert query : </FONT><BR /><FONT face="trebuchet ms,geneva" color="#993300"><EM>index=win_os sourcetype="Security" EventCode=4625 | bin span=5m _time| stats count dc(user) by _time, user, Logon_Type,dest, src, Failure_Reason | where count &gt; 3 | sort user | table _time, user, count, Logon_Type,dest, src, Failure_Reason</EM></FONT></P><P><U><FONT face="trebuchet ms,geneva">Alert settings:</FONT></U></P><P><STRONG><FONT face="trebuchet ms,geneva">Alert Type: Scheduled. Hourly, at 0 minutes past the hour. </FONT></STRONG><BR /><FONT face="trebuchet ms,geneva"><STRONG>Trigger Condition: Number of Results is &gt;</STRONG> 0</FONT></P><P><FONT face="trebuchet ms,geneva">Issue : the last time this alert ran, i got results only from 3 PM attempts. </FONT><BR /><FONT face="trebuchet ms,geneva">the alert PDF did not report the results from 2:55 PM.</FONT></P><P><FONT face="trebuchet ms,geneva">Actual Query result:</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vdhiman63_0-1635430679430.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16640i1AF4D3B7E3892F6A/image-size/medium?v=v2&amp;px=400" role="button" title="vdhiman63_0-1635430679430.png" alt="vdhiman63_0-1635430679430.png" /></span></P><P>&nbsp;</P><P><FONT face="trebuchet ms,geneva">Alert PDF that came in email:</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vdhiman63_1-1635430694883.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16641iEBBA49B77010220F/image-size/medium?v=v2&amp;px=400" role="button" title="vdhiman63_1-1635430694883.png" alt="vdhiman63_1-1635430694883.png" /></span></P><P>Any idea why the complete results were not shown from 2:55 PM when the alert triggered at the hour ?&nbsp;</P> Thu, 28 Oct 2021 14:19:31 GMT https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572829#M13186 vdhiman63 2021-10-28T14:19:31Z https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572863#M13187 <P>Check the scheduler logs (index=_internal sourcetype=scheduler savedsearch_name=YourAlertName) to confirm the number of result. Also, consider allowing some breathing space between the alert schedule and time range. Instead of using Basic schedule</P><P><STRONG><FONT face="trebuchet ms,geneva">Alert Type: Scheduled. </FONT></STRONG></P><P><STRONG><FONT face="trebuchet ms,geneva">Run at Cron scheduleHourly: 3 * * * * (every hour at 3 min past the hour)</FONT></STRONG></P><P><STRONG>Time Range: <A href="mailto:-1h@h" target="_blank">-1h@h</A>&nbsp;to&nbsp;@h (last full hour)</STRONG><BR /><FONT face="trebuchet ms,geneva"><STRONG>Trigger Condition: Number of Results is &gt;</STRONG><SPAN>&nbsp;</SPAN>0</FONT></P> Thu, 28 Oct 2021 18:16:31 GMT https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572863#M13187 somesoni2 2021-10-28T18:16:31Z https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572966#M13189 <P>Thank you iam trying to check the logs. How can i verify the number of results in this message :&nbsp;</P><P>event_message<BR />user=" ", app="search", savedsearch_name="Potential Brute Force Attack - 4 or more login attempts in 5 mins", status=delegated_remote_completion, scheduled_time=1635418800, member_guid=246-1311-453B-B4C8-727D1A, member_label="SH005", member_URI="<A href="https://10" target="_blank">https://10</A>....", sid=scheduler__search__RMD57367c0d1d64e89d1_at_1635418800_55813_7EA1D246-1311-453B-B4C8-727D1A477CE1, success=1</P> Fri, 29 Oct 2021 13:52:26 GMT https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572966#M13189 vdhiman63 2021-10-29T13:52:26Z https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572975#M13190 <P>Search this and look for field result_count.</P><LI-CODE lang="markup">index=_internal sourcetype=scheduler status=success savedsearch_name="Potential Brute Force Attack - 4 or more login attempts in 5 mins"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Fri, 29 Oct 2021 14:39:24 GMT https://community.splunk.com/t5/Alerting/Missing-results-in-Splunk-Alert-Email/m-p/572975#M13190 somesoni2 2021-10-29T14:39:24Z