Alert configuration: How do we see the Alert type ...

strawberry28 · ‎06-03-2022

We want the alert type to be in real-time and send an alert only if the search query met the condition not to run every minute even though it does not have any result (to avoid spam alerts). How do we see the Alert type for “Real-time” ? instead of a scheduled option only. Because on our end there where no options like that it is automatically tag as "scheduled" on the alert type.

somesoni2 · ‎06-03-2022

The real-time search run more frequent than scheduled search. The real-time search (and report/alerts) will run continuously, blocking a CPU core and server resources, and alerting whenever the alert conditions are met. Whereas the scheduled searches, even the ones which are schedule to run every minute, run per schedule and wait till next schedules.

It all depends upon the response time for you alerts (how soon you want to get notified when the alert conditions happens). If you want your alert to notify you almost immediately, choose real-time alerting (https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Aboutrealtimesearches), assuming you know the performance drawback of real-time searches and accept it. If you're ok to wait 1 minute (or 5 minute) before you know about the issue, choose the scheduled time as it'll be less noisy.

Alert configuration: How do we see the Alert type for “Real-time” instead of a scheduled option only?

alert action

alert condition

email

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation