Hi gpant
Look at an example and use it
1-From the Search Page, create the following search
index=_internal " error " NOT debug source=splunkd.log
earliest=-24h latest=now
2- ClickSave As > Alert.
3-Specify the following values for the fields in theSave As Alertdialog box:
Title: Errors in the last 24 hours
Alert type: Scheduled
Time Range: Run every day
Schedule:At 10:00
Trigger condition: Number of Results
Trigger if number of results: is Greater than 5
4-ClickNext.
5-Click Send Email.
6-Set the following email settings, using tokens in theSubjectandMessage
fields:
To: email recipient
Priority: Normal
Subject: Too many errors alert: $name$
Message: There were $job.resultCount$ errors reported on
$trigger_date$.
Include: Link to Alert and Link to Results
... View more