A real-time alert that looks for 0 events in the last N minutes does not seem to send any email. It does put entries in the triggered alerts log.
The alert contains this data:
trigger condition: "Number of Results is = 0 in 5 minutes."
search condition: processed customer=32323 sourcetype="splunktest-too_small"
We have another alert that triggers whenever "fire_alert" appears in the log. When I trigger that alert, I see index=_internal log spewage of the form
... savedsearch_name="fire_alert", status=success, digest_mode=0, scheduled_time=1442592619, window_time=0, dispatch_time=1442592620, run_time=1830.371, result_count=1, alert_actions="email", ...
There is no similar line in the log when the first real-time alert is triggered.
... View more