SH-Deployer/apps/alert_schedule/default/savedsearches.conf

[Example Alert]
action.email.useNSSubject = 1
alert.severity = 4
alert.suppress = 1
alert.suppress.period = 5m
alert.track = 1
alert_condition = search alert_value > 50 AND alerts_active="true"
auto_summarize.dispatch.earliest_time = -1d@h
counttype = custom
cron_schedule = */1 * * * *
description = Example alert using the alert schedule macro to control the alerting schedule.
dispatch.latest_time = -15m@m
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = alert_schedule
request.ui_dispatch_view = search
search = index=_internal sourcetype=splunkd_ui_access error\
| stats count as alert_value\
| `check_alerting_schedule(US)`