Alerting
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Alerting
Any search that you save can be scheduled and turned into an alert.
Save a search
Let's save our last search from the previous tutorial, which was a search for:
> index::sampledata eventtype::trade_app_logouts
Schedule it
Choose menu command Save Search. In the save search dialog, select "Schedule & Alerts."
Select run this search on a schedule and define the schedule using either the dropdown, or by entering a more precise schedule using cron notation in "Advanced scheduling."
Set alerting conditions
You can define alerting conditions based on thresholds and deltas in the number of events, sources and hosts in your results.
Set the alerting method
You can get alerts via RSS and email. You can also trigger a shell script, such as a script to generate an SNMP trap or call an API to send the event to another system. If you need additional email options (like setting the From: address) see the Alerts page in the Developer manual.
Permalink your saved search
You can share any search with other users by creating a Permalink. To create a Permalink for any search:
- Click the search bar drop-down menu.
- Click permalink to create a Permalink URL in your browser's URL text bar.
- Share the Permalink by copy and pasting it to other users.
Note: Splunk doesn't Uuencode its Permalink URLs. Some browsers may experience problems resolving Permalinks if they aren't Uuencoded.
Manage your saved searches and alerts
We've set up a number of saved searches and alerts in this tutorial. If you want to delete them or change them later, click the drop-down arrow on the left-hand side of the search bar, select "saved searches", and then select "manage saved searches". This will take you to the manage saved searches screen where you can edit your saved searches.
You can display saved searches on the dashboard either by selecting the dashboard from the Save Search dialog box when you create it, or selecting the dashboard from the drop-down menu on the home page and clicking Edit. Select the saved searches you'd like to see in the dialog box and click Apply.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.