Need assistance figuring out why we are receiving multiple email alerts. We are trying to setup email alerts for Office365 Service Messages.
Search String
index="o365data" sourcetype="o365:service:message" Id=*
| where Classification == "Incident" AND Severity == "Sev2"
| spath Messages{} output=Messages
| spath WorkloadDisplayName
| spath Id
| spath Status
| stats values(WorkloadDisplayName) as WorkloadDisplayName values(Id) as Id values(Status) as Status by Messages
| spath input=Messages
| eval PublishedTime=strptime(PublishedTime, "%Y-%m-%dT%H:%M:%S.%NZ")
| eval CorrectPublished=PublishedTime+25200
| where MessageText != "A post-incident report has been published."
| stats count by CorrectPublished Id WorkloadDisplayName MessageText Status
| sort - CorrectPublished
| dedup CorrectPublished
| fields - count
| eval CorrectPublished=strftime(CorrectPublished,"%Y/%m/%d %T")
| fields - PublishedTime
| dedup Id
| table CorrectPublished Id WorkloadDisplayName MessageText Status
| rename CorrectPublished as "Published", Id as "ID", WorkloadDisplayName as "Workload", MessageText as "Details"
Alert Settings
Alert Type: Real-time
Expires: 48 Hour(s)
Trigger alert when: Per-Result
Throtte: yes
Suppress results containing field value: *
Suppress triggering for: 2 minute(s)
When triggered: Send email
Emails Received
Try changing Trigger alert when: Per-Result
to Trigger alert when: Once
.
Try changing Trigger alert when: Per-Result
to Trigger alert when: Once
.
Thanks Rich! I'll test this and report back!
@richgalloway my apologies for the delay, I should be able to verify on the next alert.
This did the trick. Thanks again Rich!!
@joeybroesky If your problem is solved then please accept the answer to help future readers.