Book Image

Mastering Splunk

By : James D. Miller
Book Image

Mastering Splunk

By: James D. Miller

Overview of this book

Table of Contents (18 chapters)
Mastering Splunk
About the Author
About the Reviewers

Scheduled or real time

We've looked at scheduled alerts in detail in this chapter, so now, let's take a look at Splunk's ability to provide real-time alerts.

With real-time searching, you can search for events before they are indexed and preview the results as the events stream in. Based on real-time searches, you can create alerts that run continuously in the background to deliver timelier notifications than alerts that are based on scheduled searches.

In a similar fashion, in order to create a scheduled alert, we need to do the following to create a real-time alert:

  1. On the Search page, click on Save As.

  2. When the Save As Alert dialog opens, give your alert a name and a description.

  3. Select Alert type of the alert you want to configure (Real Time):

When you select Real Time (no scheduling information is required), you can select a Trigger condition option as follows:

  • Per-Result: This is triggered whenever a search returns a result

  • Number of Results: This is triggered based on the number of search...