This is a common request, and to paraphrase it and make sure i understand, it boils down to:
"I want to check the alert every 5 minutes but once it starts failing I only want it to email me like once every 4 hours or something"
This (and much more) is being developed for our next big release. However as Simeon says there are probably ways to do it even today, and in the interim we might consider testing out and writing up some of the less half-baked ideas somewhere.
This is one half-baked idea, but it's possible to set this up yourself with only one custom shell script that would run a splunk search, and with the rest done in the UI.
1) Aforementioned custom shell script gets hooked up in the "Trigger Shell Script" section of the alert. It uses a search like the following to write the current time to a csv.
My previous question was not clear, the goal here is to limit the emailed results to just 1 line in the alert email.
The user is trying to set "maxresults = 1" in alert_actions.conf to achieve that, but it doesn't work.
This question is a bit confusing and may need clarification by the person asking.
Alerting is based off of the condition you dictate in your search. You can alert based on a condition with respect to the result set (events), or alert based on a schedule. All of these will be based off of some time range that your search dictates.
If you are trying to set an alert that will only send the alert one time (ever), I do not believe this is currently possible. You might be able to do some hacking with creating a summary index or lookup table, but this would depend on what you are alerting on.