Alert configuration: How do we see the Alert type ...

strawberry28 · ‎06-03-2022

We want the alert type to be in real-time and send an alert only if the search query met the condition not to run every minute even though it does not have any result (to avoid spam alerts). How do we see the Alert type for “Real-time” ? instead of a scheduled option only. Because on our end there where no options like that it is automatically tag as "scheduled" on the alert type.

somesoni2 · ‎06-03-2022

The real-time search run more frequent than scheduled search. The real-time search (and report/alerts) will run continuously, blocking a CPU core and server resources, and alerting whenever the alert conditions are met. Whereas the scheduled searches, even the ones which are schedule to run every minute, run per schedule and wait till next schedules.

It all depends upon the response time for you alerts (how soon you want to get notified when the alert conditions happens). If you want your alert to notify you almost immediately, choose real-time alerting (https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/Aboutrealtimesearches), assuming you know the performance drawback of real-time searches and accept it. If you're ok to wait 1 minute (or 5 minute) before you know about the issue, choose the scheduled time as it'll be less noisy.

Alert configuration: How do we see the Alert type for “Real-time” instead of a scheduled option only?

alert action

alert condition

email

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?