Hi pweijian, thanks for posting this update - I really appreciate it!
I have just tried a similar search to the one you suggested, and I am getting the same results as you:
source="/path/to/my/syslog/files/*"
sourcetype="syslog"
| search "my_search_string"
This sends one alert ^^^
source="/path/to/my/syslog/files/*"
sourcetype="syslog"
| search "my_search_string"
| table my_field1, my_field2, my_field3
This sends multiple continuous alerts ^^^
My searches really are not that complex, so I am surprised at the difference.
I will also raise a support ticket with Splunk.
Thanks again, and likewise - I will let you know if I find out anything more.
... View more