topic Re: What is the difference between alert and report? in Alerting

What is the difference between alert and report?

logloganathan — Tue, 09 Jun 2020 22:03:03 GMT

Could anyone please provide a difference between report and alert?

Re: What is the difference between alert and report?

tiagofbmm — Tue, 20 Mar 2018 16:07:40 GMT

A report can be used in a dashboard. It does have to trigger anything.

You can reference the reports by their name into a dashboard instead of placing them in plain SPL

An alert is based on a scheduled saved search that whenever certain conditions are overcome, generates one or more actions to be executed.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/AlertWorkflowOverview

Re: What is the difference between alert and report?

kmaron — Tue, 20 Mar 2018 17:08:37 GMT

The main difference between an alert and a report is the trigger condition. With the trigger condition an alert will only do an action under the specified circumstances. Where a scheduled report will ALWAYS do it's action if one is selected and an unscheduled report will only run when chosen.

Re: What is the difference between alert and report?

niketn — Tue, 20 Mar 2018 18:34:02 GMT

@logloganathan could you elaborate on your use case or the reason for this question? We would definitely want to assist but without understanding your need we might be shooting in the dark!

Re: What is the difference between alert and report?

logloganathan — Wed, 21 Mar 2018 06:59:25 GMT

Because i can use same query in report and alert without triggering any action

Re: What is the difference between alert and report?

ruman_splunk — Mon, 09 Sep 2019 18:30:51 GMT

But this is not quite true. A report can have actions. I think @kmaron's response is correct - a saved search is an alert if it has a trigger condition.

Re: What is the difference between alert and report?

woodcock — Fri, 03 Apr 2020 12:54:22 GMT

Originally only alerts had alert actions but customers insisted and now reports also can have alert actions so literally there is no functional difference between the two. There is now only a taxonomical difference which you are free to slice any way that you like. Settings-wise, the difference between the two now is defined in savedsearches.conf as: alert.track=1 means alert and alert.track=0 means report. That is it.

Re: What is the difference between alert and report?

woodcock — Fri, 03 Apr 2020 12:54:55 GMT

This answer is incorrect. See my answer.

Re: What is the difference between alert and report?

woodcock — Fri, 03 Apr 2020 12:55:10 GMT

This is incorrect. See my answer.

Re: What is the difference between alert and report?

woodcock — Fri, 03 Apr 2020 12:55:19 GMT

This is incorrect. See my answer.

Re: What is the difference between alert and report?

martin_mueller — Fri, 03 Apr 2020 16:09:40 GMT

This answer is incorrect.

Here's a savedsearches.conf entry with alert.track=false, note how in the screenshot the corresponding alert action "Add to triggered Alerts" is not selected.
Yet the same screenshot show the UI declares this as type Alert.

Here's the corresponding btool output:

The two previous answers from 2019 are correct, a report triggers always (savedsearches.conf counttype=always) while an alert has a condition (counttype!=always).

Re: What is the difference between alert and report?

nrodrigues — Mon, 25 Jan 2021 14:42:32 GMT

After many test, my saved search is still in mode "Report" with only "alert.track=1". An alert type seems to be consisted of 3 points:

A cron schedule
A trigger condition
A trigger actions

In my case, here is the options used with the endpoint API "POST /servicesNS/-/-/saved/searches" to get an alert type:

"is_scheduled": 1,
"alert_type": "number of events"
"alert_comparator": "greater than",
"alert_threshold": 0,
"alert.track": 1

If I remove one of these options, I get a report saved search instead of alert. With the configuration file (savedsearches.conf), the options are "cron_schedule, enableSched, counttype, relation, alert.track".

Re: What is the difference between alert and report?

Lowell — Wed, 26 May 2021 21:26:06 GMT

To convert a report to an alert, open the Advanced Edit, and set the filter to alert_

Then set:

alert_type
alert_comparator
alert_threshold

Here's a simple example:

If you are searching the rest endpoint and trying to classify your saved searches, here's a search I find helpful to start from:

| rest splunk_server=local /services/saved/searches
| fields - display.* dispatch.*
| search is_visible=1 AND disabled!=true AND is_scheduled=1
| eval type=if(alert_type="always", "report", "alert")
| table title type disabled scheduled cron_schedule eai:acl.app eai:acl.owner actions search