- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Real time alert option not available
If you look at the picture I cant see the real time alert option, Could you please assist me to get this on my splunk ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi cyber_Maddy,
Overuse of real-time search can result in performance costs and in this you are not able to scheduled a real-time alert because of restrictions that have applied in your environment
Options for restricting real-time search are as follows:
1) Disable real-time search at the indexer level by editing indexes.conf for specific indexes.
2) Disable real-time search for particular roles and users.
3) Edit limits.conf to reduce the number of real-time searches that can be run concurrently at any given time.
4) Edit limits.conf to restrict indexer support for real-time searches.
The documentation, How to restrict usage of real-time search is where you will want to go.
https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Restrictrealtimesearch
Also, make sure you're reading the documentation for your version of Splunk.
------
An upvote would be appreciated and Accept Solution if it helps!
