We recently set up Splunk for testing. One of the features I'm most interested in right now is the "Alert" functionality.
I have created a alter that runs every day at 06:00. The alert find the events I'm searching for and creates a alert. The only issues is that every new alert also includes events that are older than 24 Hours. I would like to only alter on events that are newer than 24 hours.