Alerting

What is the difference between alert and report?

Motivator

Could anyone please provide a difference between report and alert?

Labels (1)
Tags (3)
1 Solution

Influencer

A report can be used in a dashboard. It does have to trigger anything.

You can reference the reports by their name into a dashboard instead of placing them in plain SPL

An alert is based on a scheduled saved search that whenever certain conditions are overcome, generates one or more actions to be executed.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/AlertWorkflowOverview

View solution in original post

Esteemed Legend

Originally only alerts had alert actions but customers insisted and now reports also can have alert actions so literally there is no functional difference between the two. There is now only a taxonomical difference which you are free to slice any way that you like. Settings-wise, the difference between the two now is defined in savedsearches.conf as: alert.track=1 means alert and alert.track=0 means report. That is it.

0 Karma

SplunkTrust
SplunkTrust

This answer is incorrect.

Here's a savedsearches.conf entry with alert.track=false, note how in the screenshot the corresponding alert action "Add to triggered Alerts" is not selected.
Yet the same screenshot show the UI declares this as type Alert.

alt text

Here's the corresponding btool output:

alt text

The two previous answers from 2019 are correct, a report triggers always (savedsearches.conf counttype=always) while an alert has a condition (counttype!=always).

SplunkTrust
SplunkTrust

@logloganathan could you elaborate on your use case or the reason for this question? We would definitely want to assist but without understanding your need we might be shooting in the dark!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

Because i can use same query in report and alert without triggering any action

0 Karma

Motivator

The main difference between an alert and a report is the trigger condition. With the trigger condition an alert will only do an action under the specified circumstances. Where a scheduled report will ALWAYS do it's action if one is selected and an unscheduled report will only run when chosen.

Esteemed Legend

This is incorrect. See my answer.

0 Karma

Influencer

A report can be used in a dashboard. It does have to trigger anything.

You can reference the reports by their name into a dashboard instead of placing them in plain SPL

An alert is based on a scheduled saved search that whenever certain conditions are overcome, generates one or more actions to be executed.

https://docs.splunk.com/Documentation/Splunk/7.0.2/Alert/AlertWorkflowOverview

View solution in original post

Esteemed Legend

This answer is incorrect. See my answer.

0 Karma

Splunk Employee
Splunk Employee

But this is not quite true. A report can have actions. I think @kmaron's response is correct - a saved search is an alert if it has a trigger condition.

Esteemed Legend

This is incorrect. See my answer.

0 Karma