I create on alert yesterday. 
That alert causes to generates thousands of notifications. yesterday they were in thousands.
Today when i open the triggered alerts window under the activity tab. I was shocked that there are no triggered alerts.
can anybody explain to me that what happened.
Regards,
 
					
				
		
The alerts have expiration date. They will get removed past that. Check the setting of saved search generating alert for ttl setting which defines the expiration date.
HI
My actual theme is to get notified[through email ] when there is external vulnerability scan during last one hour. for that purpose I create an alert.
OR please advise me the correct approach to achieve that.
 
					
				
		
Yes, this should be very straightforward. Just create a search that finds the scan, save it as an alert, add an action to send you an email and you are done. Usually if there is a problem it is because the Search Head cannot send emails because it has not been properly configured to do so.
I have another question. I tired to post it through "ask a question" but due to my reputation points problem (currently have only 24) I am not able to post it.
hope you understand the situation and help me out to understand properly.
===================
I am new to splunk. I have one correlation rule. For some I got the understanding but for most I am unable to interrupt. below is the correlation rule:
| tstats allow_old_summaries=true 
dc(Malware_Attacks.date) as "day_count",
count from datamodel=Malware where  nodename=Malware_Attacks  by "Malware_Attacks.dest","Malware_Attacks.signature" 
| rename "Malware_Attacks.dest" as "dest","Malware_Attacks.signature" as "signature" 
| where 'day_count'>3
i will be grateful if someone help me to decode that
Thanks
=========================
can you please advise me on that because after that I need to amend that rule little bit.[I need to add Malware_Attacks.action=blocked] in the query.
 
					
				
		
The above query is taking the data from data model Malware with filter condition nodename=Malware_Attacks, then counting the distinct dates for which there were attacks from a destination ip and signature. Finally showing only the destination IP with their signature who attacked on at least 3 days.
thanks
what is this nodename. any reference doc will help me to understand further and how can I add 
Malware_Attacks.action!=blocked condition to correlation search.
 
					
				
		
The nodename should be the object available in the data model. Check its definition in settings->Data Model -> Your data model name . You should be able to add other conditions in where by using the field name. See samples here
http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Tstats#Filtering_with_where
thanks wood, I done the same (as we discussed in another question-external vulnerability scan). in that alert I configure both send an email and send an alert Option. but never get an email. how how can I troubleshoot this email notification problem.
 
					
				
		
If you are on a very up-to-date version of splunk, you now have to click a setting to have a triggered alert  show up in the Triggered Alerts area (yes, really).
Do it like this: Save As -> Alert -> Triggered Actions (at the bottom) / Add Actions -> Add to Triggered Alerts.
This is easy to miss because it is just off of the bottom of the first page of settings and it is the only thing that doesn't fit on the first page and typically pop-up dialogs are designed to fit all on one page.
 
					
				
		
The alerts have expiration date. They will get removed past that. Check the setting of saved search generating alert for ttl setting which defines the expiration date.
how can I see the ttl value OR alert lifetime configuration.
 
					
				
		
See this definition of ttl from alert_actions.conf. For triggered alert, following ttl setting should be applied.
ttl     = <integer>[p]
* Optional argument specifying the minimum time to live (in seconds)
  of the search artifacts, if this action is triggered.
* If p follows integer, then integer is the number of scheduled periods.
* If no actions are triggered, the artifacts will have their ttl determined
  by the "dispatch.ttl" attribute in savedsearches.conf.
* Defaults to 10p
* Defaults to 86400 (24 hours)   for: email, rss
* Defaults to   600 (10 minutes) for: script
* Defaults to   120 (2 minutes)  for: summary_index, populate_lookup
