Best practices for Splunk alerting

This topic is a discussion of best practices for configuring Splunk alerting intervals and spans.

Choose an interval

An interval of every minute is probably ok if you have fewer than 20-30 alerts. If the searches your alerts are based on are complex, you should make the interval longer.

Choose a span

In general, it is best to set the span to be slightly longer than the interval. For example, 5 minute intervals are best with 6 minute spans.