Alert types
There are two alert types, scheduled and real-time. Alert type definitions are based on alert search timing. Depending on the scenario, you can configure timing, triggering, and other behavior for either alert type.
Alert type comparison
Here is a comparison of scheduled and real-time alerts.
| Alert type | When it searches for events | Triggering options | Throttling options |
|---|---|---|---|
| Scheduled | Searches according to a schedule. Choose from the available timing options or use a cron expression to schedule the search. | Specify conditions for triggering the alert based on result or result field counts. When a set of search results meets the trigger conditions, the alert can trigger one time or once for each of the results. | Specify a time period for suppression. |
| Real-time | Searches continuously. | Per-result: Triggers every time there is a search result. | Specify a time period and optional field values for suppression. |
| Real-time | Searches continuously. | Rolling time window: Specify conditions for triggering the alert based on result or result field counts within a rolling time window. For example, a real-time alert can trigger whenever there are more than ten results in a five minute window. | Specify a time period for suppression. |