Create real-time alerts
Use a real-time alert to monitor events or event patterns as they happen. You can create real-time alerts with per-result triggering or rolling time window triggering. Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible.
To compare scheduled and real-time alerts, see Alert types. To review scenarios for alert types and triggering, see Alert type and triggering scenarios.
Create a real-time alert with per-result triggering
Real-time alerts with per-result triggering are sometimes known as per-result alerts. This alert type and triggering use a continuous real-time search to look for events. Each search result triggers the alert.
- Caution: If you have a Splunk Enterprise high-availability deployment, use per-result triggering with caution. If a peer is not available, a real-time search does not warn that the search might be incomplete. To avoid this issue, use a scheduled alert
Follow these steps to create a real-time alert with per-result triggering.
- Navigate to the Search page in the Search & Reporting app.
- Create a search.
- Select Save As>Alert.
- Enter a title and optional description.
- Specify permissions.
- Select the Real-time alert type.
- (Optional) Change the Expires setting. This setting controls the lifespan of triggered alert records, which appear on the Triggered Alerts page.
- Select the Per-Result trigger option.
- (Optional) Configure a trigger throttling period.
- Select at least one alert action that occurs when the alert triggers.
- Click Save.
Create a real-time alert with rolling window triggering
Real-time alerts with rolling time window triggering are sometimes known as rolling window alerts. The rolling time window is an interval or increment, such as five minutes. It is not a scheduled time. Because real-time alerts search continuously, the time window applied to events also rolls forward in time.
Use this alert type and triggering when a specific time interval is part of the event pattern you are monitoring in real time. This alert type and triggering are the most resource-demanding alerting option. It can be helpful to consider using another alert type if possible.
Follow these steps to create a real-time alert with rolling window triggering.
- Navigate to the Search page in the Search & Reporting app.
- Create a search.
- Select Save As>Alert.
- Enter a title and an optional description.
- Specify permissions.
- Select the Real-time alert type.
- (Optional) Change the Expires setting. This setting controls the lifespan of triggered alert records, which appear on the Triggered Alerts page.
- Select one of the available result-based conditions, or enter a custom triggering condition. Do not select per-result triggering.
- Specify a time interval to add to the triggering condition.
- (Optional) Configure a trigger throttling period.
- Select at least one alert action that occurs when the alert triggers.
- Click Save.
Additional resources
- Learn about alert and alert action permissions in Alert permissions.
- Step through alert examples in Alert examples.
- Learn more about using trigger conditions in Configure alert trigger conditions.
- Learn about using the Triggered Alerts page to review triggered alert records in Monitor triggered alerts
| Alert scheduling tips | Create Splunk Mobile alerts |
This documentation applies to the following versions of Splunk® Enterprise: 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Download manual
Feedback submitted, thanks!