Community:Best practices for Splunk alerting

From Splunk Wiki

Jump to: navigation, search

Best practices for Splunk alerting

This topic is a discussion of best practices for configuring Splunk alerting intervals and spans.

Choose an interval

An interval of every minute is probably ok if you have fewer than 20-30 alerts. If the searches your alerts are based on are complex, you should make the interval longer.

Choose a span

In general, it is best to set the span to be slightly longer than the interval. For example, 5 minute intervals are best with 6 minute spans.

Retrieved from "https://wiki.splunk.com/index.php?title=Community:Best_practices_for_Splunk_alerting&oldid=49396"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk