Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Alert types

There are two alert types, scheduled and real-time. Alert type definitions are based on alert search timing. Depending on the scenario, you can configure timing, triggering, and other behavior for either alert type.


Alert type comparison

Here is a comparison of scheduled and real-time alerts.

Alert type When it searches for events Triggering options Throttling options
Scheduled Searches according to a schedule. Choose from the available timing options or use a cron expression to schedule the search. Specify conditions for triggering the alert based on result or result field counts. When a set of search results meets the trigger conditions, the alert can trigger one time or once for each of the results. Specify a time period for suppression.
Real-time Searches continuously. Per-result: Triggers every time there is a search result. Specify a time period and optional field values for suppression.
Real-time Searches continuously. Rolling time window: Specify conditions for triggering the alert based on result or result field counts within a rolling time window. For example, a real-time alert can trigger whenever there are more than ten results in a five minute window. Specify a time period for suppression.
PREVIOUS
The alerting workflow
  NEXT
Alert type and triggering scenarios

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters