Solved: Saving scheduled searches: what's the difference i...

MonkeyK · ‎08-29-2017

I have some scheduled queries for which the only purpose is to maintain a lookup table (or maybe summary index after I figure out how to do those).

Splunk only allows me to save these scheduled searches as either an alert or a report. Is there any advantage to choosing one over the other if I don't need reporting or alerting on the search?

lfedak_splunk · ‎08-29-2017

Hey @MonkeyK, Check out this awesomely detailed explanation: https://answers.splunk.com/answers/187134/report-vs-alert-whats-the-difference.html

View solution in original post

lfedak_splunk · ‎08-29-2017

Hey @MonkeyK, Check out this awesomely detailed explanation: https://answers.splunk.com/answers/187134/report-vs-alert-whats-the-difference.html

MonkeyK · ‎08-30-2017

Thank you lfedak. That explanation notes different workflows that can be built around a saved search. I was wondering if the was any reason to choose one over the other if I have no need for additional workflows?

For example, is there a performance consideration for choosing report or alert?

woodcock · ‎09-10-2017

They are exactly the same thing but one allows you to tack on other things to the end. Just use a report and don't overthink this.

MonkeyK · ‎09-20-2017

Thanks woodcock. That was what I wanted to be sure of.

Saving scheduled searches: what's the difference if it's saved as a report or as an alert?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services