Real time Alert

omarka · ‎07-13-2018

Hello,

I'm trying to generate an alert if the result is greater than 2, but i don't have the field Real-Time as shown in the picture:

Is there any other way to generate this alert ?

Thank you

woodcock · ‎07-15-2018

There are very, Very, VERY good reasons that your admin has wisely taken away Real-Time, including:

1: Any real-time anything locks 1 core on EVERY Indexer and Your Search-Head. This does not scale.
2: You don't need it. If you cannot react to the alert in ~1s, a short-window regular search is just as effective.
3: There is pipeline latency in getting events into Splunk and a real-time search may search for your event before it has even arrived on the indexer and make for many false-negatives.

Despite what all of the marketing and training says, SPLUNK IS *NOT* A REAL-TIME PRODUCT!

renjith_nair · ‎07-13-2018

Hi @omarka,

You need schedule_rtsearch permission to schedule a real time search.
Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible. You could use schedule search to run every 1 minute which should be enough in most of the uses Define scheduled alerts. Also have a look at the Best Practices.

Happy Splunking!

Real time Alert

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!