Sure, consider the following:
sourcetype=log4net source=Accounts "Account notification failed for " | eval date=strftime(_time, "%y-%m-%d") | stats dc(AccountId) as TotalNotificationsFailed by date
Basically, if you got 10 failed notifications in a given calendar day the alert should fire off and then get suppressed for the remaining day. Currently it fires off, cron job every 5 minutes kicks in, and re-triggers.
The timewindow is @d to 'now'
... View more