Alerting

What is the difference between alert and report?

logloganathan
Motivator

Could anyone please provide a difference between report and alert?

Labels (1)
Tags (3)
1 Solution

tiagofbmm
Influencer

A report can be used in a dashboard. It does have to trigger anything.

You can reference the reports by their name into a dashboard instead of placing them in plain SPL

An alert is based on a scheduled saved search that whenever certain conditions are overcome, generates one or more actions to be executed.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/AlertWorkflowOverview

View solution in original post

Lowell
Super Champion

To convert a report to an alert, open the Advanced Edit, and set the filter to  alert_

Then set:

  • alert_type
  • alert_comparator
  • alert_threshold

 

Here's a simple example:

Lowell_0-1622064003880.png

 

If you are searching the rest endpoint and trying to classify your saved searches, here's a search I find helpful to start from:

 

| rest splunk_server=local /services/saved/searches
| fields - display.* dispatch.*
| search is_visible=1 AND disabled!=true AND is_scheduled=1
| eval type=if(alert_type="always", "report", "alert")
| table title type disabled scheduled cron_schedule eai:acl.app eai:acl.owner actions search

 

0 Karma

woodcock
Esteemed Legend

Originally only alerts had alert actions but customers insisted and now reports also can have alert actions so literally there is no functional difference between the two. There is now only a taxonomical difference which you are free to slice any way that you like. Settings-wise, the difference between the two now is defined in savedsearches.conf as: alert.track=1 means alert and alert.track=0 means report. That is it.

nrodrigues
Engager

After many test, my saved search is still in mode "Report" with only "alert.track=1". An alert type seems to be consisted of 3 points:

  • A cron schedule
  • A trigger condition
  • A trigger actions

In my case, here is the options used with the endpoint API "POST /servicesNS/-/-/saved/searches" to get an alert type:

  • "is_scheduled": 1,
  • "alert_type": "number of events"
  • "alert_comparator": "greater than",
  • "alert_threshold": 0,
  • "alert.track": 1

If I remove one of these options, I get a report saved search instead of alert. With the configuration file (savedsearches.conf), the options are "cron_schedule, enableSched, counttype, relation, alert.track".

martin_mueller
SplunkTrust
SplunkTrust

This answer is incorrect.

Here's a savedsearches.conf entry with alert.track=false, note how in the screenshot the corresponding alert action "Add to triggered Alerts" is not selected.
Yet the same screenshot show the UI declares this as type Alert.

alt text

Here's the corresponding btool output:

alt text

The two previous answers from 2019 are correct, a report triggers always (savedsearches.conf counttype=always) while an alert has a condition (counttype!=always).

niketn
Legend

@logloganathan could you elaborate on your use case or the reason for this question? We would definitely want to assist but without understanding your need we might be shooting in the dark!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

logloganathan
Motivator

Because i can use same query in report and alert without triggering any action

0 Karma

kmaron
Motivator

The main difference between an alert and a report is the trigger condition. With the trigger condition an alert will only do an action under the specified circumstances. Where a scheduled report will ALWAYS do it's action if one is selected and an unscheduled report will only run when chosen.

woodcock
Esteemed Legend

This is incorrect. See my answer.

0 Karma

tiagofbmm
Influencer

A report can be used in a dashboard. It does have to trigger anything.

You can reference the reports by their name into a dashboard instead of placing them in plain SPL

An alert is based on a scheduled saved search that whenever certain conditions are overcome, generates one or more actions to be executed.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/AlertWorkflowOverview

woodcock
Esteemed Legend

This answer is incorrect. See my answer.

0 Karma

ruman_splunk
Splunk Employee
Splunk Employee

But this is not quite true. A report can have actions. I think @kmaron's response is correct - a saved search is an alert if it has a trigger condition.

woodcock
Esteemed Legend

This is incorrect. See my answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...