Hello, Background: I am generating alerts around our Office 365 Environment using the Content Pack for Microsoft 365. I have limited search query experience but willing to put in the time to learn more as I go. About the Content Pack for Microsoft 365 - Splunk Documentation Trying to accomplish: Runs every 10 minutes > Trigger single alert if "id"/"Ticket" is unique for every result > Throttle for 24 hours This is just an example of my search query:   (index=Office365) sourcetype="o365:service:healthIssue" service="Exchange Online" classification=incident OR advisory status=serviceDegradation OR investigating | eventstats max(_time) as maxtime, by id | where _time = maxtime | mvexpand posts{}.description.content | mvexpand posts{}.createdDateTime | rename posts{}.description.content AS content posts{}.createdDateTime AS postUpdateTime | stats latest(content) AS Content latest(status) AS Status earliest(_time) AS _time latest(postUpdateTime) AS postUpdateTime by service, classification id isResolved | fields _time service classification id Content postUpdateTime Status isResolved | sort + isResolved -postUpdateTime | rename isResolved AS Resolved? service AS Workload id AS Ticket classification AS Classification postUpdateTime AS "Last Update"   would I need a custom trigger? and what result would be required for suppressing?   What Is happening: There could be technically be 3 events based on the search query but the alert will only send 1 email to me (with only 1 event) instead of 3 individual alert emails, with 3 separate events. I am trying to prevent the same alert being generated for the same "Ticket/ID" so if a new event happens it will trigger the alert should I be using a custom trigger? and if so what result would I suppress to prevent multiple alerts of the same "ticket/id"? Any help would be greatful!   Thank you!    ... View more