There are two alert types, scheduled and real-time. Alert type definitions are based on alert search timing. Depending on the scenario, you can configure timing, triggering, and other behavior for either alert type.
Alert type comparison
Here is a comparison of scheduled and real-time alerts.
|Alert type||When it searches for events||Triggering options||Throttling options|
|Scheduled||Searches according to a schedule. Choose from the available timing options or use a cron expression to schedule the search.||Specify conditions for triggering the alert based on result or result field counts. When a set of search results meets the trigger conditions, the alert can trigger one time or once for each of the results.||Specify a time period for suppression.|
|Real-time||Searches continuously.||Per-result: Triggers every time there is a search result.||Specify a time period and optional field values for suppression.|
|Real-time||Searches continuously.||Rolling time window: Specify conditions for triggering the alert based on result or result field counts within a rolling time window. For example, a real-time alert can trigger whenever there are more than ten results in a five minute window.||Specify a time period for suppression.|
The alerting workflow
Alert type and triggering scenarios
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0.0, 7.0.1, 7.0.2