Real time Alert

omarka · ‎07-13-2018

Hello,

I'm trying to generate an alert if the result is greater than 2, but i don't have the field Real-Time as shown in the picture:

Is there any other way to generate this alert ?

Thank you

woodcock · ‎07-15-2018

There are very, Very, VERY good reasons that your admin has wisely taken away Real-Time, including:

1: Any real-time anything locks 1 core on EVERY Indexer and Your Search-Head. This does not scale.
2: You don't need it. If you cannot react to the alert in ~1s, a short-window regular search is just as effective.
3: There is pipeline latency in getting events into Splunk and a real-time search may search for your event before it has even arrived on the indexer and make for many false-negatives.

Despite what all of the marketing and training says, SPLUNK IS *NOT* A REAL-TIME PRODUCT!

renjith_nair · ‎07-13-2018

Hi @omarka,

You need schedule_rtsearch permission to schedule a real time search.
Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible. You could use schedule search to run every 1 minute which should be enough in most of the uses Define scheduled alerts. Also have a look at the Best Practices.

Happy Splunking!

Real time Alert

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM