Alert type and triggering scenarios
Once you choose a scheduled or a real-time alert, you can configure how results trigger the alert. Depending on the events that you are monitoring, you might need a real-time alert that triggers with every result or a scheduled alert that only triggers if results meet certain conditions. The following scenarios show different use cases for alert types and triggering.
Use a scheduled alert to search for events on a regular basis and monitor whether they meet specific conditions. A scheduled alert is useful if immediate or real-time monitoring is not a priority.
- An online retailer has a daily goal of 500 sales. An admin for the retailer creates a scheduled alert to monitor sales performance. The admin schedules the alert to search for sales events each day at 23:00. She configures the alert to trigger if the number of results is lower than 500.
- An admin wants to monitor how frequently users follow a bad link to the 404 error page. The admin creates a scheduled alert that searches for 404 errors every hour and triggers if there are more than 100 results.
- An admin creates a scheduled alert to check if a particular host has not sent any data to the Splunk platform in the last few hours. He schedules the alert to search for events from the host every three hours. The admin configures the alert to trigger if there are no search results.
Real-time alerts search for events continuously. They can be useful in situations where immediate monitoring and responses are important. You can use real-time alerts that trigger once per result or only if certain conditions are met within a specific rolling time window.
A real-time alert with a per-result triggering condition is sometimes known as a "per-result alert". Use this alert type and triggering to search continuously for events and to receive notifications when events occur.
- Caution: In a high availability deployment, use per-result triggering with caution. If a peer is not available, a real-time search does not warn that the search might be incomplete. It is recommended to use a scheduled alert for this deployment.
Here are some examples of using a real-time alert with per-result triggering.
- A social networking website admin wants to know whenever login failures occur. She sets up a real-time alert to search for failed login attempts. She chooses a per-result trigger condition so that she can track every failed login attempt.
- An admin wants to monitor a set of hosts for errors in real-time. Some errors need a more urgent response than others. The admin sets up a real-time alert with a per-result trigger condition. He throttles the alert using a field that represents the less urgent error code and a one hour suppression period. The alert triggers for every urgent error, but at most once in an hour for less urgent errors.
Rolling time window triggering
A real-time alert with rolling time window triggering is sometimes known as a "rolling window alert". This alert type and triggering are useful when a specific time window is an important part of the event pattern you are monitoring in real time.
Here are some examples of using a real-time alert with rolling time window triggering.
- An admin wants a notification whenever a user has three failed logins within a ten minute period. The admin sets up a real-time alert to search for failed logins and configures a rolling ten minute time window. The admin throttles the alert so that it triggers only once in an hour for failed logins from the same user.
- An admin wants to know whenever a web application has more than five database connection errors in a minute. She configures a real-time alert to search for error events and specifies a one minute rolling window. If the search returns one result and then four more results five minutes later, the alert does not trigger. However, the alert triggers if the search returns five results within a one minute span.
See Throttle alerts to review additional throttling scenarios.
Create scheduled alerts
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2111, 8.0.2007, 8.1.2009, 8.0.2006, 8.1.2012, 8.1.2011, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105, 8.2.2106, 8.2.2107 (latest FedRAMP release), 8.2.2109