Scalable alerting
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Scalable alerting
Advanced conditional alerting
This feature allows users to specify more complex conditions for triggering alerts. In previous versions of Splunk, users were limited to setting alerting conditions based on the number of events, sources, and hosts that appeared in a result set. Now, for any result set, a user can specify a search as a condition. If that search returns one or more events (ie true), an alert containing the original result set would be triggered.
Learn more about advanced conditional alerting in the Admin Manual.
Alerts over large data sets
This feature includes Splunk's ability to run alerts concurrently and over larger datasets. This is an extension of Splunk's Analyze large datasets feature.
Splunk's back-end processing and handling of alerts has been improved substantially, allowing users to run alerts concurrently (in previous versions they were run serially).
Benefits
- Run alerts over larger datasets and with more frequency compared to previous versions of Splunk
- Users can create more specific conditions for triggering an alert, reducing the number of missed or false positive alerts
- Conditions to alert can now involved complex calculations on the data set without changing the content of the alert itself
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.