Hello, I have set a email alert. ID is the unique identifier my source file is text file which updates after some time whenever new activity is capture, Forwarder will re read that file again, to avoid duplication of search im using dedup ID, if I don't use dedup ID in my search it will show me numbers of result which is not equal to the file. For e.g: my file have 3 logs before after some activity 2 more logs added in file total count is 5, however splunk is showing 8 events in GUI. to avoid this im using dedup ID. Now, the issue is my alert is on real time im getting alot duplicated results in my email. Below is my query
index=pro sourcetype=logs Remark="xyz"
| dedup ID
| table ID, _time, field1. field2, field3, field4
using the above query im getting correct result on GUI but numbers of alerts generate on email.
... View more