Hello,
See if I understand this correctly and maybe sum this up.
Your using the 365 Stream as @DomenicoLicciardi stated earlier in this post, you created Event Definition with a Search Query: Operation:UserLoggedIn OR Operation:MailboxLogin.
So, either one of these you wanted to search within in a lotted time frame… correct?
Looks like you are searching every 10 minutes from the past 1 hour.
So, let’s say if its 5PM you execute a search which will get all users from 4PM till 5PM, then wait 10 minutes execute a search again at 5:10PM this executes a search which will get all users from 4:10 PM to 5:10 PM, so you want it to overlap the search? Is this correct?
I normally execute a search every XX minutes/hour for the past XX minutes/hour. I have both XX with the same time frame.
Your also grouping by field using “UserID” so if a UserID is greater than 1 show each user logon attempts. This tells me if you have just 1 UserID in the stream it will not send notification but unless there are 2 you won’t get that message hence >1. Have you tried setting it to Greater than 0? This means if there are just 1 UserID within that time, send notification.
Yes, you will find all the messages from the “Search Query"
Here is an example of two messages for 24 hours as shown below.
If you configure your Aggregation with certain conditions then you will receive only those messages that you filtered out.
Here is an example.
- Your Event Definition filters what messages you want from the stream being used. I believe you said that was correct as shown below. Is this correct?
- Your notification is how you recieve those filtered messages (i.e. from Event Definition) you want.
So if number 1 is not the problem then I would look at number two.
Judging from all thats been stated, I think your Event Definition configuration might be whats creating your issue. This is just a guess and I’m not sure at this point because there is a lack of information.
Hope this helps