Option 2 is supposed to work. Your query should not have filter condition, rather it will be present as Trigger Condition. Search Query index=_internal sourcetype=splunkd log_level!="INFO" earliest=-1h@h latest=now | stats count max(_time) as _time by component Trigger Condition - Trigger type should be custom where count>5 PS: I have tested the following alert on cron schedule to run every minute for last hour of Splunk's _internal error data by component. Since I was getting only 1 or 2 errors per components, I have reset trigger condition to search count>1 and trigger type as custom [Sample Alert with Trigger Condition] alert.suppress = 0 alert.track = 1 alert_condition = search count>1 counttype = custom cron_schedule = */1 * * * * dispatch.earliest_time = -1w dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","log_level","info"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.chartHeight = 550 display.visualizations.custom.type = aplura_viz_donut.donut enableSched = 1 request.ui_dispatch_app = splunk_answers request.ui_dispatch_view = search search = index=_internal sourcetype=splunkd log_level!="INFO" earliest=-1h@h latest=now \ | stats count max(_time) as _time by component Please try out and confirm! ... View more

Yes, I am going to only send one mail with multiple recipients to avoid too much duplicated mails. :) ... View more

Thanks woodcock, I used "| rex max_match=0 field=_raw "(?)Dest : (?.*)" | table path" in the end, but your suggestion to use "max_match=0" really helps! ... View more