Yes, this should be very straightforward. Just create a search that finds the scan, save it as an alert, add an action to send you an email and you are done. Usually if there is a problem it is because the Search Head cannot send emails because it has not been properly configured to do so.

I have another question. I tired to post it through "ask a question" but due to my reputation points problem (currently have only 24) I am not able to post it.
hope you understand the situation and help me out to understand properly.

===================

I am new to splunk. I have one correlation rule. For some I got the understanding but for most I am unable to interrupt. below is the correlation rule:
| tstats allow_old_summaries=true
dc(Malware_Attacks.date) as "day_count",
count from datamodel=Malware where nodename=Malware_Attacks by "Malware_Attacks.dest","Malware_Attacks.signature"
| rename "Malware_Attacks.dest" as "dest","Malware_Attacks.signature" as "signature"
| where 'day_count'>3

i will be grateful if someone help me to decode that

Thanks
=========================

can you please advise me on that because after that I need to amend that rule little bit.[I need to add Malware_Attacks.action=blocked] in the query.

The above query is taking the data from data model Malware with filter condition nodename=Malware_Attacks, then counting the distinct dates for which there were attacks from a destination ip and signature. Finally showing only the destination IP with their signature who attacked on at least 3 days.

thanks
what is this nodename. any reference doc will help me to understand further and how can I add
Malware_Attacks.action!=blocked condition to correlation search.

The nodename should be the object available in the data model. Check its definition in settings->Data Model -> Your data model name . You should be able to add other conditions in where by using the field name. See samples here
http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Tstats#Filtering_with_where

thanks wood, I done the same (as we discussed in another question-external vulnerability scan). in that alert I configure both send an email and send an alert Option. but never get an email. how how can I troubleshoot this email notification problem.

how can I see the ttl value OR alert lifetime configuration.

See this definition of ttl from alert_actions.conf. For triggered alert, following ttl setting should be applied.

ttl     = <integer>[p]
* Optional argument specifying the minimum time to live (in seconds)
  of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
  by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours)   for: email, rss
* Defaults to   600 (10 minutes) for: script
* Defaults to   120 (2 minutes)  for: summary_index, populate_lookup