About the Splunk Admin Manual

What's in the Admin Manual?

How Splunk Works

Overview of Splunk

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Troubleshooting

Set up alerts via savedsearches.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Create a saved search
Schedule the search
Alert conditions
Configure alert actions
Example

Set up alerts via savedsearches.conf

Configure alerts with savedsearches.conf. Use the $SPLUNK_HOME/etc/system/README/savedsearches.conf.example as an example, or create your own savedsearches.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Follow these steps:

1. Create a saved search.

2. Schedule the search.

3. Define alert conditions.

4. Configure alert actions.

You can set up an alert at the time you create a saved search, or add the alert configurations to your saved search stanza later.

Note: You must have email enabled on your Splunk server for alerts to be sent out. Alternately, your Splunk server must be able to contact your email server. Configure email settings by customizing alerts.

Create a saved search

First, set up a saved search:

Enter your search terms into the search bar and choose Save search... from the drop-down menu to the left of the search bar.
Fill in the fields to save your search and then click the Schedule & Output link at the top of the Save Search pop up.

You can also set up a saved search via savedsearches.conf.

Schedule the search

Next, schedule your search. This means your search runs on the specified schedule. For example, Splunk runs your search every hour or at midnight. If your search meets the alert conditions, then Splunk alerts you.

Add the following attribute/value pairs to your saved search stanza to run the search on a schedule:

userid = <integer>

UserId of the user who created this saved search.
- Splunk needs this information to log who ran the search, and create editing capabilities in Splunk Web.
Possible values: Any Splunk user ID.
User IDs are found in $SPLUNK_HOME/etc/passwd.
- Look for the first number on each line, right before the username.
- For example 2:penelope....

enableSched = < 0 | 1 >

Set this to 1 to enable schedule for search
Defaults to 0.

schedule = <string>

Cron style schedule.
For example, */12 * * * *).

execDelay = <integer>

Amount of time (in seconds) from most recent event to the execution of the scheduled search query.
Defaults to 0.

Alert conditions

Now define alert conditions. Alert conditions tell Splunk whether or not to send you an alert. Enter a threshold number of events, sources, or hosts in your results. If the alert conditions are met, Splunk notifies you via email or RSS feed or triggers a shell script.

counttype = <string>

Set the type of count for alerting.
Possible values: number of events, number of hosts, number of sources, number of sourcetypes.

relation = <string>

How to compare against counttype.
Possible values: greater than, less than, equal to, drops by, rises by.

quantity = <integer>

Number to compare against the given counttype.

So if you have the following:

counttype = number of events
relation = rises by
quantity = 25

Splunk alerts you if your search results have risen by 25 since the last time the search ran.

Configure alert actions

Tell Splunk what to do once an alert is triggered. You can either:

Enable RSS

action_rss = < 0 | 1 >

Toggle whether or not to create an RSS link.
1 to send, 0 to disable.

Send Email

action_email = <string>

Comma separated list of email addresses to send alerts to.

sendresults = < 0 | 1 >

Whether or not to send the results along with the email/shell script.
1 to send, 0 to disable.

maxresults = <integer>

The maximum number of results the entire query pipeline can generate.
Defaults to 50000.
Note: This is different from specifying maxresults via prefs.conf or during a search (maxresults: search modifier in older versions, or -maxresults in the CLI in versions 3.2 and above).

Example

This example runs a search for events containing the term "sudo" on a schedule, and sends the results via an RSS feed.

[sudoalert]
action_rss = 1
counttype = number of events
enableSched = 1
quantity = 10
search = sudo
relation = greater than
schedule = */12 * * * *
sendresults = 0
role = Admin

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.1/Admin/SetUpAlertsViaSavedsearchesconf"

« Set up alerts via Splunk Web Scripted Alerts »

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Set up alerts via savedsearches.conf

Contents

Set up alerts via savedsearches.conf

Create a saved search

Schedule the search

Alert conditions

Configure alert actions

Example

Comments