our Splunk Enterprise indexer has some alerts configured. One alert is configured as follows:
Time range: rt-1h / rt-0h "Schedule this search": true Condition: always Alert mode: Once per result Throttling: After triggering, don't alert again for 1 day, based on "RequestID" (each result condition will have a unique RequestID)
If I manually run the search over the last 7 days, I get 2 results. However, in the "Searches and Reports" section of Manager, the search shows 16,356 alerts (as does Alert Manager).
If there are only 2 events that have occurred in the last few days, why are there so many alerts being fired??