Alert configuration: How do we see the Alert type ...

strawberry28 · ‎06-03-2022

We want the alert type to be in real-time and send an alert only if the search query met the condition not to run every minute even though it does not have any result (to avoid spam alerts). How do we see the Alert type for “Real-time” ? instead of a scheduled option only. Because on our end there where no options like that it is automatically tag as "scheduled" on the alert type.

somesoni2 · ‎06-03-2022

The real-time search run more frequent than scheduled search. The real-time search (and report/alerts) will run continuously, blocking a CPU core and server resources, and alerting whenever the alert conditions are met. Whereas the scheduled searches, even the ones which are schedule to run every minute, run per schedule and wait till next schedules.

It all depends upon the response time for you alerts (how soon you want to get notified when the alert conditions happens). If you want your alert to notify you almost immediately, choose real-time alerting (https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Aboutrealtimesearches), assuming you know the performance drawback of real-time searches and accept it. If you're ok to wait 1 minute (or 5 minute) before you know about the issue, choose the scheduled time as it'll be less noisy.

Alert configuration: How do we see the Alert type for “Real-time” instead of a scheduled option only?

alert action

alert condition

email

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!