Alerting

Real time alert option not available

cyber_Maddy
Engager

cyber_Maddy_1-1634886882920.png

If you look at the picture I cant see the real time alert option, Could you please assist me to get this on my splunk ?

Labels (3)
0 Karma

PradReddy
Path Finder

Hi cyber_Maddy,

Overuse of real-time search can result in performance costs and in this you are not able to scheduled a real-time alert because of restrictions that have applied in your environment


Options for restricting real-time search are as follows:

1) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2) Disable real-time search for particular roles and users.
3) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4) Edit limits.conf to restrict indexer support for real-time searches.

The documentation, How to restrict usage of real-time search is where you will want to go.
https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Restrictrealtimesearch

Also, make sure you're reading the documentation for your version of Splunk.

------
An upvote would be appreciated and Accept Solution if it helps!

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...