Alerting

Report v.s. Alert, what's the difference?

shangshin
Builder

Hi,
When I run a search query in Splunk, it can be saved as Report or Alert. What's the difference between them?
I looked at the stanza at savedsearches.conf but they are almost identical. Is there a systematic way to find out the number of reports vs alerts in all the saved searches?

Thanks in advance!

Tags (3)
1 Solution

jrodman
Splunk Employee
Splunk Employee

In Splunk, we really only have at a technology level the idea of a Search.

Searches have a LOT in them. They can be saved, permissioned, put in dashboards, scheduled, hooked up to terminal actions that fire when they complete, and more. Searches have so many optional pieces that it becomes hard to communicate the possible kinds of things that you can do with a Search.

As a result, in the UI layer we try to offer some compartmentalization to provide a simpler story. Here, we tend to use Report for a Search or Search workflow that you would produce results that people will typically look at, while we use Alert for a Search that will make a determination to take action in contacting the outside world via email or script execution if its results match a criteria.

In the save action, we take the hint if the user selects Alert to go through a workflow of helping provide useful decision making around setting up the alerting mechanism, timing, possible throttling, and so on. For a Report, there's some opportunity to go ahead and attach it to a dashboard.

If you do the configuration yourself, eg by accessing the Saved Search in the Manager UI, then you'll see they're the same type of thing. You can in fact have one search that you run to send out alerts, but that you also retain the output of to view in a visualization in a dashboard, for example. But this kind of dual-use scenario is hard to build focused workflows around so it only becomes relevant for people who are really fully controlling the sceanario, such as possibly some Splunk Admin scenarios, or possibly advanced App creators.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

In Splunk, we really only have at a technology level the idea of a Search.

Searches have a LOT in them. They can be saved, permissioned, put in dashboards, scheduled, hooked up to terminal actions that fire when they complete, and more. Searches have so many optional pieces that it becomes hard to communicate the possible kinds of things that you can do with a Search.

As a result, in the UI layer we try to offer some compartmentalization to provide a simpler story. Here, we tend to use Report for a Search or Search workflow that you would produce results that people will typically look at, while we use Alert for a Search that will make a determination to take action in contacting the outside world via email or script execution if its results match a criteria.

In the save action, we take the hint if the user selects Alert to go through a workflow of helping provide useful decision making around setting up the alerting mechanism, timing, possible throttling, and so on. For a Report, there's some opportunity to go ahead and attach it to a dashboard.

If you do the configuration yourself, eg by accessing the Saved Search in the Manager UI, then you'll see they're the same type of thing. You can in fact have one search that you run to send out alerts, but that you also retain the output of to view in a visualization in a dashboard, for example. But this kind of dual-use scenario is hard to build focused workflows around so it only becomes relevant for people who are really fully controlling the sceanario, such as possibly some Splunk Admin scenarios, or possibly advanced App creators.

shangshin
Builder

Thanks for the detail explanation. Your description is the same as I thought. Basically, it's mainly for the workflow in Splunk 6 UI.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...