hi,
We need to take a step back here.
- You alert is on the component status. So, alert is triggered when the component status is down / error / warning, etc. In your case, when a warning or threshold is breached which again in your case is 1. So, whatever the script does doesn't matter - as long as it returns a value (Statistic) of greater than 1, the component is in critical status.
- the component is polled every 5 minutes by default. If your Statistic is always greater than 1, then the alert will get triggered but never reset. So, you will only get 1 email.
So, first thing you will need to understand what exactly your script is counting.
Let's assume your script is counting the number of matches of the key words in the entire log file every 5 minutes, then you will need to check the following option in your component monitor so that SAM can compute the difference between the total count between polls. So, if you found new matches in last 5 minutes, it will trigger an alert. If it doesnt find any matches in last 5 minutes, the alert will get reset. If it happens again, it will trigger a new alert, etc etc
