Alert types
There are two alert types, scheduled and real-time. Alert type definitions are based on alert search timing. Depending on the scenario, you can configure timing, triggering, and other behavior for either alert type.
Alert type comparison
Here is a comparison of scheduled and real-time alerts.
| Alert type | When it searches for events | Triggering options | Throttling options |
|---|---|---|---|
| Scheduled | Searches according to a schedule. Choose from the available timing options or use a cron expression to schedule the search. | Specify conditions for triggering the alert based on result or result field counts. When a set of search results meets the trigger conditions, the alert can trigger one time or once for each of the results. | Specify a time period for suppression. |
| Real-time | Searches continuously. | Per-result: Triggers every time there is a search result. | Specify a time period and optional field values for suppression. |
| Real-time | Searches continuously. | Rolling time window: Specify conditions for triggering the alert based on result or result field counts within a rolling time window. For example, a real-time alert can trigger whenever there are more than ten results in a five minute window. | Specify a time period for suppression. |
Last modified on 05 March, 2016
| The alerting workflow | Alert type and triggering scenarios |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Download manual
Feedback submitted, thanks!