Hi,
I have created a splunk email and it seems to be triggering it twice. Below the query and alert configuration.
query: index="liquidity" AND cf_space_name="pvs-ad00008034" AND (msg.Extended_Fields.ValueAmount = "0" OR msg.Extended_Fields.ValueAmount = "NULL" OR msg.Results.Message="EWI Load process is completed*") | table _time, msg.Extended_Fields.DataSource, msg.Extended_Fields.ValueAmount, msg.Results.Message | sort by _time | rename msg.Extended_Fields.ValueAmount as ValueAmount | rename msg.Results.Message as Message | rename msg.Extended_Fields.DataSource as DataSource
trigger condition:
search Message = "EWI Load process is completed*" | stats count as Total | search Total > 0
... View more