Save and schedule searches, set alerts, and enable summary indexing
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Save and schedule searches, set alerts, and enable summary indexing
You can turn any saved search Admin > Saved Searches into a scheduled alert. To schedule a saved search, define a frequency for your search to run. To turn a scheduled search into an alert, set conditions for triggering the alert. Then, define actions to perform when the alert conditions are met.
For more information about using Splunk for alerting, watch this video.
This page discusses how to save searches, schedule searches, and configure alert conditions. For more in-depth discussion of saved searches and alerting, see the Admin manual section on saved searches.
Save a search
First, create a saved search:
1. Click on the search bar drop-down menu and select Save search...
This opens the Save search dialog box.
2. In the Search tab, name your search.
3. In the Search field, edit your search if necessary.
4. Select a role to share your saved search.
You can Share with role Admin, Everybody, User, and Power, or Don't Share with anyone.
5. Check one more dashboards to save and display your search.
4. Click Save.
Schedule a search
Then, set a schedule for your search:
1. From the search bar menu, choose Save search...
2. Click the Schedule and Alert tab.
3. Under Schedule, check Run this search on a schedule.
4. Choose either Basic or Cron to define your schedule frequency.
- Basic lets you choose from predefined schedule options, Run every: minute, 5 minutes, 30 minutes, hour, 12 hours, day at midnight, day at 6pm, and Saturday at midnight.
- Cron lets you use cron notation to define your schedule frequency.
Caution: Splunk implements cron differently than standard POSIX cron. Use the */n as "divide by n" (instead of crontab's "every n"). For example, enter */3* * * 1-5 to run your search every twenty minutes, Monday through Friday.
Here are some other Splunk cron examples:
"*/12 * * * *" : "Every 5 minutes" "*/2 * * * *" : "Every 30 minutes" "0 */2 * * *" : "Every 12 hours, on the hour"
Specify time range
To ensure that you get all the results within a time period, you may want to edit the Search field (in the Search tab) to include a specific time range in your search. For example, if you want all the results within an hour time window, such as between 4 PM and 5 PM:
- Add the terms
startminutesago=90andendminutesago=30to your search. - Use Cron notation to define your schedule on the half hour.
Configure an alert
After you schedule a search, you can configure an alert. Define alert conditions based on thresholds in the number of events, sources, and hosts in your results. When these conditions are met, Splunk notifies you via email or RSS feed.
To configure an alert, define the alert condition:
1. In the first drop-down menu under Alert when, choose either always, number of events, number or sources, or number of hosts.
2. In the second drop-down menu under Alert when, choose a comparison operation: greater than, less than, equal to, rises by, or drops by.
3. In the text field under Alert when, enter a value.
For example, you may want to "Alert when number of events [is] greater than 10".
4. Define how you want Splunk to notify you.
- If you want to receive information in a RSS feed, check Create an RSS feed.
- If you to receive email notification, enter one or more email addresses under Send email. Separate multiple addresses with a comma.
Note: You can combine any of these options.
5. Next, if you want to include the search results in your alert, check Include results.
6. Finally, if you want to run a shell command when an alert triggers, enter the command under Trigger shell script. For example, you may want to trigger a script to generate an SNMP trap or call an API to send the event to another system. For more details on configuring alerts, see the Admin Manual topic on alerts.
Specify fields to show
When you receive alerts, Splunk includes all the fields in your search. Edit the saved search to specify which fields you want included and excluded.
- To eliminate a field, pipe your search to
fields - $FIELDNAME. - To add a field, pipe your search to
fields + $FIELDNAME.
You can specify multiple fields to include and exclude in one string. For example, your Search field may be:
yoursearch starthoursago=3 | fields - $FIELD1,$FIELD2 + $FIELD3,$FIELD4
The alert you receive will exclude $FIELD1 and $FIELD2, but include $FIELD3 and $FIELD4.
Enable summary indexing
Summary indexing is an alert action that you can configure for any scheduled search which already exists.
1. In the Admin page in Splunk Web, create a scheduled search in the Saved searches heading.
2. Select Run this search on a schedule to configure alert properties for the scheduled search. If you want your search to run every time without checking for an alert condition, select "always" as the alert condition.
3. Check Enable summary indexing.
4. Optionally, add a field/value pair search results that are being summary indexed from the scheduled search.
Once you enable summary indexing, configure it further by editing configuration files.
When the summary indexing search runs, it will tell you that the result has been "stashed".
Note: Currently, you can only add one field/value pair when configuring summary indexing in Splunk Web. You can add additional field/values to events by specifying them in savedsearches.conf.
Note: Learn about summary indexing.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.