When I type this search in the normal Splunk search app, I get normal expected results:
"usb" | transaction host startswith="New USB device found" endswith="USB disconnect" | search NOT keyboard NOT mouse NOT host=xyz
However when I create an alert with the same search pattern, I constantly get results for the host xyz.
I am using the newest Splunk 5.0.3. Is this a bug or is there something happening behind the scenes I don't understand?
The settings for the alert are thus: time range: real time alert mode: once per search condition: always alert action: send email
Any hints?