Create an alert
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Create an alert
Any time you have a saved search or report, you can schedule it to run regularly. You can also set an alert if certain conditions are met, for example if the number of results is greater than or less than a certain threshold. This topic shows how to schedule a search for slow transactions and trigger an email alert when there are more than 6 slow transactions in an hour.
Edit a search
You can schedule a search when you first create it, or you can go back and edit a saved search to add scheduling and alerts. To open a saved search:
1. From the Search app, click Manager in the upper right of the screen.
2. Click Searches and Reports.
3. Click on the name of the search you want to edit.
Save a search.
Schedule a search
Start by scheduling the search to run hourly. You can do this when you first create a search, or with a search you have already saved. To add a schedule to a previously saved search:
1. Skip down to Schedule this search and select it.
Note: You can also schedule a search when you first create it.
2. Select Basic as the Schedule type and set the search to Run every hour
Set an alert
You can set your scheduled search to generate an alert when certain conditions are met. Use the Alert conditions section to trigger an alert.
1. Select Perform actions if number of events, then select is greater than and enter 6.
2. Select Send email under Alert Actions.
3. Enter the email address where you want the alert sent. For example, some_admin@myco.com,another_admin@myco.com. By default, alerts are sent from splunk@>splunk-hostname< with the subject SplunkAlert->savedsearchname<.
4. Click Save.
Note:In order to send email, you must set up your MTA in Manager > System Settings > Email alert settings.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.