Alerting for admins
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Alerting for admins
Alerts are searches that run either on a regular schedule or in real time; when certain conditions are met, the alerts are triggered. When an alert is triggered an "alert action"--such as an email to stakeholders with the results of the search, an update to an RSS feed, or the triggering of a shell script--takes place.
You can use alerts to notify you of changes in your data, network infrastructure, file system or other devices you're monitoring. You can turn any saved search into an alert.
An alert is comprised of:
- a schedule for performing the search
- conditions for triggering an alert
- actions to perform when the triggering conditions are met
Enabling alerts via configuration files
This chapter deals with alerting from a Splunk administrator's perspective, and focuses on configuring alerts via configuration files, as well as the configuration of scripted alerts such as SNMP traps.
Before reading this topic you should be thoroughly familiar with the material on alerting in the User Manual. There you'll find instructions for:
Set up an alert at the time you create a saved search, or define an alert around any existing saved search you have permission to edit. Configure alerts via:
Specify overall email settings for alerts
To configure the mail host, email format, subject, and sender, and to identify whether or not the results of the alert should be included inline:
- In Splunk Web, click Manager > Email alert settings and specify your choices.
- Click Save.
All alerts will now use these settings.
Alerts can also trigger shell scripts. When you configure an alert, specify a script you've written. You can use this feature to send alerts to other applications. Learn more about configuring scripted alerts.
You can use scripted alerts to send syslog events, or SNMP traps.