Download topic as PDF
Alert types
There are two alert types, scheduled and real-time. Alert type definitions are based on alert search timing. Depending on the scenario, you can configure timing, triggering, and other behavior for either alert type.
Alert type comparison
Here is a comparison of scheduled and real-time alerts.
| Alert type | When it searches for events | Triggering options | Throttling options |
|---|---|---|---|
| Scheduled | Searches according to a schedule. Choose from the available timing options or use a cron expression to schedule the search. | Specify conditions for triggering the alert based on result or result field counts. When a set of search results meets the trigger conditions, the alert can trigger one time or once for each of the results. | Specify a time period for suppression. |
| Real-time | Searches continuously. | Per-result: Triggers every time there is a search result. | Specify a time period and optional field values for suppression. |
| Real-time | Searches continuously. | Rolling time window: Specify conditions for triggering the alert based on result or result field counts within a rolling time window. For example, a real-time alert can trigger whenever there are more than ten results in a five minute window. | Specify a time period for suppression. |
|
PREVIOUS The alerting workflow |
NEXT Alert type and triggering scenarios |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4
Feedback submitted, thanks!