Alerting

Is there a limitation related to the number of real-time alerts created in Splunk Enterprise?

erwan_raulet
Explorer

I have two servers Splunk Enterprise that collected the same inputs mainly in syslog. I have created some real-time alerts to prevent us when some events occured in our network. I have declared more than ten real-time alerts but only five or six alerts worked.
The others alerts never triggered.
Do you know if there is a limitation with a license or technical constraint in Splunk Enterprise?

0 Karma
1 Solution

masonmorales
Influencer

Yes, it's technically constrained somewhat by the number of CPU cores available on your search head. Generally it's better to use scheduled searches on 5 minute (or 1 minute if you really need it that fast) intervals. Once you hit the concurrent search limit (because there aren't any cores left to run the searches), the search head will start queuing ad-hoc search jobs and skipping scheduled searches.

Related question: https://answers.splunk.com/answers/92760/impact-of-real-time-distributed-searches-on-cpu-utilization...

View solution in original post

0 Karma

erwan_raulet
Explorer

Is the rolling-windows alerts are considered as real-time alerts?

0 Karma

masonmorales
Influencer

Yes, it's technically constrained somewhat by the number of CPU cores available on your search head. Generally it's better to use scheduled searches on 5 minute (or 1 minute if you really need it that fast) intervals. Once you hit the concurrent search limit (because there aren't any cores left to run the searches), the search head will start queuing ad-hoc search jobs and skipping scheduled searches.

Related question: https://answers.splunk.com/answers/92760/impact-of-real-time-distributed-searches-on-cpu-utilization...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...