I want to do a security log monitoring and using splunk alert feature to send email notifications. The security log and trigger condition is like this: _time, SessionID, filedA, fieldB yyyymmdd,11111, xxxx,yyyyy yyyymmdd,11111,bbbb,ccccc yyyymmdd,22222,bbbb,ccccc ........ as this is a syslog monitoring task , I want to trigger an alert whenever a newly SessionID is detected. It means the same SessionIDwill not be notified twice. My SPL will be like below: ....| stats count by SessionID Regarding to the alert configuration, which condition should I use? Or is it possible to do this mostly in the base SPL? Regards,
... View more