Alerting

Is there a limitation related to the number of real-time alerts created in Splunk Enterprise?

erwan_raulet
Explorer

I have two servers Splunk Enterprise that collected the same inputs mainly in syslog. I have created some real-time alerts to prevent us when some events occured in our network. I have declared more than ten real-time alerts but only five or six alerts worked.
The others alerts never triggered.
Do you know if there is a limitation with a license or technical constraint in Splunk Enterprise?

0 Karma
1 Solution

masonmorales
Influencer

Yes, it's technically constrained somewhat by the number of CPU cores available on your search head. Generally it's better to use scheduled searches on 5 minute (or 1 minute if you really need it that fast) intervals. Once you hit the concurrent search limit (because there aren't any cores left to run the searches), the search head will start queuing ad-hoc search jobs and skipping scheduled searches.

Related question: https://answers.splunk.com/answers/92760/impact-of-real-time-distributed-searches-on-cpu-utilization...

View solution in original post

0 Karma

erwan_raulet
Explorer

Is the rolling-windows alerts are considered as real-time alerts?

0 Karma

masonmorales
Influencer

Yes, it's technically constrained somewhat by the number of CPU cores available on your search head. Generally it's better to use scheduled searches on 5 minute (or 1 minute if you really need it that fast) intervals. Once you hit the concurrent search limit (because there aren't any cores left to run the searches), the search head will start queuing ad-hoc search jobs and skipping scheduled searches.

Related question: https://answers.splunk.com/answers/92760/impact-of-real-time-distributed-searches-on-cpu-utilization...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...