Scheduled or real time
We've looked at scheduled alerts in detail in this chapter, so now, let's take a look at Splunk's ability to provide real-time alerts.
With real-time searching, you can search for events before they are indexed and preview the results as the events stream in. Based on real-time searches, you can create alerts that run continuously in the background to deliver timelier notifications than alerts that are based on scheduled searches.
In a similar fashion, in order to create a scheduled alert, we need to do the following to create a real-time alert:
On the Search page, click on Save As.
When the Save As Alert dialog opens, give your alert a name and a description.
Select Alert type of the alert you want to configure (Real Time):
When you select Real Time (no scheduling information is required), you can select a Trigger condition option as follows:
Per-Result: This is triggered whenever a search returns a result
Number of Results: This is triggered based on the number of search...
