Created a search to monitor members added/removed from a group. It's working in search, but in the alert email for deletion of one member from the group, we're getting thousands of alerts. Please see the search and correct if I did anything wrong.
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729) Group_Name=SGG_Emergency_Database_Access Group_Domain=HSUSERS | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S") |rex "Member:\s+\w+\s\w+:.*\\\(?.*)" | rex "Account\sName:\s+(?.*)" | stats count by Date, TargetAccount, SourceAccount,ComputerName,Group_Name,Group_Domain,Keywords,name | sort - Date | rename name as "Message" | rename SourceAccount as "Administrator Account" | rename TargetAccount as "Target Account"
How many rows this search returns? Could you provide other information about the alert like time range, schedule, alert condition, throttling and alert type (per-result OR once-per-result)?
It returns one row and have selected per result. But don't know why it is sending multiple email alerts for one member added or removed.
What about the schedule and time range? If you've overlapping timerange (e.g. running every 5 min and time range is last 30 mins, there is 25 mins overlapping between each alert execution), it'll cause repeated alert.
That's not good. I generally avoid real-time search, specially scheduled real-time search. If you're OK with 6 min delay in getting the result, they use this
Start time: -6m@m End time: -1m@m Cron Schedule: 1-59/5 * * * *
As you instructed to change in alert Start time: -6m@m
End time: -1m@m
Cron Schedule: 1-59/5 * * * *
I did it and checked in time picker and picker is showing custome and same time has already updated. But not getting the result.