Solved: Re: Saving scheduled searches: what's the differen...

MonkeyK · ‎08-29-2017

I have some scheduled queries for which the only purpose is to maintain a lookup table (or maybe summary index after I figure out how to do those).

Splunk only allows me to save these scheduled searches as either an alert or a report. Is there any advantage to choosing one over the other if I don't need reporting or alerting on the search?

lfedak_splunk · ‎08-29-2017

Hey @MonkeyK, Check out this awesomely detailed explanation: https://answers.splunk.com/answers/187134/report-vs-alert-whats-the-difference.html

View solution in original post

lfedak_splunk · ‎08-29-2017

Hey @MonkeyK, Check out this awesomely detailed explanation: https://answers.splunk.com/answers/187134/report-vs-alert-whats-the-difference.html

MonkeyK · ‎08-30-2017

Thank you lfedak. That explanation notes different workflows that can be built around a saved search. I was wondering if the was any reason to choose one over the other if I have no need for additional workflows?

For example, is there a performance consideration for choosing report or alert?

woodcock · ‎09-10-2017

They are exactly the same thing but one allows you to tack on other things to the end. Just use a report and don't overthink this.

MonkeyK · ‎09-20-2017

Thanks woodcock. That was what I wanted to be sure of.

Saving scheduled searches: what's the difference if it's saved as a report or as an alert?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!