I wanted to create an alert which keeps on running every hour and checks the data from starting of the day and till now and if the count is greater than a value, it should generate an alert and no alert for the rest of the day. I have used the following parameters. But it does not seem to be right because if we get an alert at 6pm today we don't get another alert until 6pm the next day. what if the count has exceeded the limit at some time less than 6pm the next day we would not get an alert because of the throttle. If we don't use throttle we get overlapping of the results.
Alert type :Scheduled Run on Cron Schedule Earliest: @d Latest: now Cron Expression: */60 * * * * **Trigger Conditions** Trigger alert when Number of Results is greater than 0 Trigger Once For each result Throttle? Suppress triggering for 1 day(s)
Please recommend a solution . Urgent. Thanks for the help
You could set your search so that it runs hourly, finds the time of the FIRST event of the day, and if that event is less than (for example) 65 minutes old, throws the alert.
Then, set the throttle to suppress the alert for 75 minutes (but it will never alert again until the next day.)