Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the difference between alert and report?

logloganathan
Motivator
‎03-20-2018 08:53 AM

Could anyone please provide a difference between report and alert?

Labels (1)
Labels
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-20-2018 09:07 AM

A report can be used in a dashboard. It does have to trigger anything.

You can reference the reports by their name into a dashboard instead of placing them in plain SPL

An alert is based on a scheduled saved search that whenever certain conditions are overcome, generates one or more actions to be executed.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/AlertWorkflowOverview

View solution in original post

Reply
Solved! Jump to solution

Lowell
Super Champion
‎05-26-2021 02:26 PM

To convert a report to an alert, open the Advanced Edit, and set the filter to  alert_

Then set:

  • alert_type
  • alert_comparator
  • alert_threshold

 

Here's a simple example:

Lowell_0-1622064003880.png

 

If you are searching the rest endpoint and trying to classify your saved searches, here's a search I find helpful to start from:

 

| rest splunk_server=local /services/saved/searches
| fields - display.* dispatch.*
| search is_visible=1 AND disabled!=true AND is_scheduled=1
| eval type=if(alert_type="always", "report", "alert")
| table title type disabled scheduled cron_schedule eai:acl.app eai:acl.owner actions search

 

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-03-2020 05:54 AM

Originally only alerts had alert actions but customers insisted and now reports also can have alert actions so literally there is no functional difference between the two. There is now only a taxonomical difference which you are free to slice any way that you like. Settings-wise, the difference between the two now is defined in savedsearches.conf as: alert.track=1 means alert and alert.track=0 means report. That is it.

Reply
Solved! Jump to solution

nrodrigues
Engager
‎01-25-2021 06:42 AM

After many test, my saved search is still in mode "Report" with only "alert.track=1". An alert type seems to be consisted of 3 points:

  • A cron schedule
  • A trigger condition
  • A trigger actions

In my case, here is the options used with the endpoint API "POST /servicesNS/-/-/saved/searches" to get an alert type:

  • "is_scheduled": 1,
  • "alert_type": "number of events"
  • "alert_comparator": "greater than",
  • "alert_threshold": 0,
  • "alert.track": 1

If I remove one of these options, I get a report saved search instead of alert. With the configuration file (savedsearches.conf), the options are "cron_schedule, enableSched, counttype, relation, alert.track".

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-03-2020 09:09 AM

This answer is incorrect.

Here's a savedsearches.conf entry with alert.track=false, note how in the screenshot the corresponding alert action "Add to triggered Alerts" is not selected.
Yet the same screenshot show the UI declares this as type Alert.

alt text

Here's the corresponding btool output:

alt text

The two previous answers from 2019 are correct, a report triggers always (savedsearches.conf counttype=always) while an alert has a condition (counttype!=always).

Reply
Solved! Jump to solution

niketn
Legend
‎03-20-2018 11:34 AM

@logloganathan could you elaborate on your use case or the reason for this question? We would definitely want to assist but without understanding your need we might be shooting in the dark!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-20-2018 11:59 PM

Because i can use same query in report and alert without triggering any action

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎03-20-2018 10:08 AM

The main difference between an alert and a report is the trigger condition. With the trigger condition an alert will only do an action under the specified circumstances. Where a scheduled report will ALWAYS do it's action if one is selected and an unscheduled report will only run when chosen.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-03-2020 05:55 AM

This is incorrect. See my answer.

0 Karma
Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-20-2018 09:07 AM

A report can be used in a dashboard. It does have to trigger anything.

You can reference the reports by their name into a dashboard instead of placing them in plain SPL

An alert is based on a scheduled saved search that whenever certain conditions are overcome, generates one or more actions to be executed.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/AlertWorkflowOverview

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-03-2020 05:54 AM

This answer is incorrect. See my answer.

0 Karma
Reply
Solved! Jump to solution

ruman_splunk
Splunk Employee
Splunk Employee
‎09-09-2019 11:30 AM

But this is not quite true. A report can have actions. I think @kmaron's response is correct - a saved search is an alert if it has a trigger condition.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-03-2020 05:55 AM

This is incorrect. See my answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...