When you create an email alert it is important to group by a field that identifies the source of the alert.

The email that the alert sends contains a table of results for a particular aggregation query. You can see the visual representation of the query on the Explore Logs page.

Without a unique identifier to group by you will not know if the result is relevant for one or multiple systems in your environment. You should group by hostname field and not by source field. You can also add any field that uniquely identifies where the event comes from.