Create real-time alerts
Use a real-time alert to monitor events or event patterns as they happen. You can create real-time alerts with per-result triggering or rolling time window triggering. Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible.
To compare scheduled and real-time alerts, see Alert types. To review scenarios for alert types and triggering, see Alert type and triggering scenarios.
Create a real-time alert with per-result triggering
Real-time alerts with per-result triggering are sometimes known as per-result alerts. This alert type and triggering use a continuous real-time search to look for events. Each search result triggers the alert.
Caution: If you have a Splunk Enterprise high-availability deployment, use per-result triggering with caution. If a peer is not available, a real-time search does not warn that the search might be incomplete. To avoid this issue, use a scheduled alert
Follow these steps to create a real-time alert with per-result triggering.
- Navigate to the Search page in the Search & Reporting app.
- Create a search.
- Select .
- Enter a title and optional description.
- Specify permissions.
- Select the Real-time alert type.
- (Optional) Change the Expires setting. This setting controls the lifespan of triggered alert records, which appear on the Triggered Alerts page.
- Select the Per-Result trigger option.
- (Optional) Configure a trigger throttling period.
- Select at least one alert action that occurs when the alert triggers.
- Click Save.
Create a real-time alert with rolling window triggering
Real-time alerts with rolling time window triggering are sometimes known as rolling window alerts. The rolling time window is an interval or increment, such as five minutes. It is not a scheduled time. Because real-time alerts search continuously, the time window applied to events also rolls forward in time.
Use this alert type and triggering when a specific time interval is part of the event pattern you are monitoring in real time. This alert type and triggering are the most resource-demanding alerting option. It can be helpful to consider using another alert type if possible.
Follow these steps to create a real-time alert with rolling window triggering.
- Navigate to the Search page in the Search & Reporting app.
- Create a search.
- Select .
- Enter a title and an optional description.
- Specify permissions.
- Select the Real-time alert type.
- (Optional) Change the Expires setting. This setting controls the lifespan of triggered alert records, which appear on the Triggered Alerts page.
- Select one of the available result-based conditions, or enter a custom triggering condition. Do not select per-result triggering.
- Specify a time interval to add to the triggering condition.
- (Optional) Configure a trigger throttling period.
- Select at least one alert action that occurs when the alert triggers.
- Click Save.
Additional resources
- Learn about alert and alert action permissions in Alert permissions.
- Step through alert examples in Alert examples.
- Learn more about using trigger conditions in Configure alert trigger conditions.
- Learn about using the Triggered Alerts page to review triggered alert records in Monitor triggered alerts