This is one of the example email alerts:
Saved search results. Name: 'Cisco - Level 3 Internet BGP Drops (dcinternet02r)' Query Terms: 'source=\"/var/log/syslog_info\" _raw=*\"%BGP-5-ADJCHANGE: neighbor 22.214.171.124\"* earliest=-36hr@h | table _time, _raw | sort -_time' Link to results: https://splunk.********.com/ sid=scheduler__hfmra200__search__RMD5ce14eefd70aff3f9_at_1459853760_15001 Alert was triggered because of: 'Saved Search [Cisco - Level 3 Internet BGP Drops (dcinternet02r)]: always(0)'
Everything are good , from there side email address and he check in spam fold. He haven't received any mails.
And if i try to run commands under the applications which are in saved search, like:
source=\"/var/log/syslog_info\" _raw=\"%BGP-5-ADJCHANGE: neighbor 126.96.36.199\" earliest=-36hr@h | table _time, _raw | sort -time
I cant see any data . "No data found "
Is he the only recipient for the alert? If so, check sourcetype = python_log logs for any errors in sending email. If there are other recipients for the alert check with them to see if they got the email and you can validate the to distribution list from that email