What is a Splunk saved search and a scheduled alert? [Advanced]
Answer
A Splunk saved search is a stored SPL query with permissions and optional schedule. A scheduled alert is a saved search that runs on a schedule and triggers an action when defined conditions are met.
Technical explanation
Saved searches standardize repeated analysis and can back dashboards, reports, or alerts.
Scheduled alerts should use efficient SPL, bounded time windows, and clear trigger conditions.
Alert actions can notify email, webhook, ITSM, on-call tooling, or custom integrations.
Hands-on example
Example: save a search: index=prod_app service=checkout earliest=-5m level=ERROR | stats count by error_code. Schedule every five minutes. Trigger if count > 100 for error_code=PAYMENT_TIMEOUT, then send a webhook to the incident system with dashboard and runbook links.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]