We got a working solution using saved searches (summary indexer and alert sending email) that does something like this:

# Name: our_good_saved_search
# Schedule: runs every 30 minutes
# Type: Summary Indexing Saved Search
# Description: Basically, what below does is it'll get logs from a raw index, put them in a summary index if the same logs aren't in the summary index yet

index=our_raw_index sourcetype=our_logs earliest=-5d@w1
| dedup Some, Unique, Fields,
| table Some, Unique, Fields, Just, Another, Column
| join type=left Some, Unique, Fields
    [ search index=our_summary_index source=our_good_saved_search earliest=-5d@w1
    | eval Excluder = 1 ]
| where isnull(Excluder)
| eval _time = now()
| table _time, Some, Unique, Fields, Just, Another, Column

# Name: our_good_email_sender
# Schedule: 1,31 * * * *
# Type: Alert With Send Email Action
# Description: Basically, what below does is when it detects new items, it'll send emails for each of them

index=our_summary_index source=our_good_saved_search earliest=-29min@min-1s@s
| table _time, Some, Unique, Fields, Just, Another, Column

We find it redundant since both are types of saved searches. We're wondering if it's possible that the whole thing can be done by just one alert basically like this:

index=our_raw_index sourcetype=our_logs earliest=-5d@w1
| dedup Some, Unique, Fields,
| table Some, Unique, Fields, Just, Another, Column
| join type=left Some, Unique, Fields
    [ search index=our_summary_index source=our_good_email_sender earliest=-5d@w1
    | eval Excluder = 1 ]
| where isnull(Excluder)
| eval _time = now()
| table _time, Some, Unique, Fields, Just, Another, Column
| summaryindex ...

Theoretically, the above code is an alert that would

1. Summary index its result
2. Send an email for each result.

I've already tried adding the action_summary.index=1 and action.summary_index._name = our_summary_index configs but they're not working.

If this is possible, please advise on what I am missing.

Thanks in advance.