Both "Once" and "For each result" behaves the same way for me. In both cases, I got the alert with only one event from the results. I am assuming PagerDuty doesn't support multiple results.

Hi @nytins,

as I said, I don't know PagerDuty and probably the issue is the it doesn't permits multiple values.

If you don't have many results, you could create a workaround like the following:

• create a lookup (called e.g. PageDuty_temp.csv),
• save your results in this lookup,
• create a new alert that:
  • searches on this lookup,
  • takes only the first value,
  • send a message to PagerDuty,
  • removes the used value from the lookup.

Ciao.

Giuseppe

I don't have access to splunk servers, these are managed by a central team. Are these logs available to search within splunk? If yes, any how how can I search for it?

Those are stored into _internal index. If you are not part of splunk admin team, you probably haven't access to it. You could try 

index=_internal

To see if you can see events in that index and if you can then you can try this

index="_internal" component=SavedSplunker sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index" OR alert_actions="") app!=splunk_instrumentation 
| fields _time app result_count status alert_actions user savedsearch_name splunk_server_group 
| stats earliest(_time) as _time count as run_cnt sum(result_count) as result_count values(alert_actions) as alert_actions values(splunk_server_group) as splunk_server_group by app, savedsearch_name user status 
| table _time, run_cnt, app, savedsearch_name user status result_count alert_actions splunk_server_group

 It shows alerts which has previously run and what has happen.

If you haven't access to internal logs, then you should ask from your Splunk admin team, that they will check what has happened.