The background to this is that I am running Enterprise Security. I was hoping to assign a risk score to multiple objects, but a correlation search cannot run more than one adaptive response action for risk.
So, I am implementing a saved search instead that will
create a score/object/type tuple for each search result
mvexpand on this field
Split out the field
Run "sendalert risk" for each of the resulting events
Appendpipe does not solve the problem for more than two risk objects, as you end up with 2^(n-1) events where n is the number of risk objects.
The saved search works when run manually, but fails when scheduled.