Designed a SMTP reporting alert to send an email whenever a specific log message was ingested.
The rule basically said msg.id = '%C4K_CHASSIS-3-MUXBUFFERREADSUPERVISORSELECTIONFAILED'. Which indicates that a 48 port card was down. The network team would get an email and get to work on it.
When setting up the alert, there were 2 options "execute once" or "execute each event". Execute once was selected in the alert, but this is a little misleading. The alerts were being logged about every second, and it didn't send that many emails; however we were receiving an email every minute.
Fortunately this was a simple fix, by editing the "AlertInterval" located under the 'reporting engine>explore> com.rsa.soc.re>alertConfiguration'; from 1 to 10 we now receive emails only every 10 minutes.
Happy Hunting, hope this saves you some digging.