Documentation > Splunk > Admin Manual > How does alerting work in Splunk?

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Getting started for Windows admins
Manage Splunk licenses
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

How does alerting work in Splunk?

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

How does alerting work in Splunk?

Alerts are searches that run either on a regular schedule or in real time; when certain conditions are met, the alerts are triggered. When an alert is triggered an "alert action"--such as an email to stakeholders with the results of the search, an update to an RSS feed, or the triggering of a shell script--takes place.

You can use alerts to notify you of changes in your data, network infrastructure, file system or other devices you're monitoring. You can turn any saved search into an alert.

An alert is comprised of:

  • a schedule for performing the search
  • conditions for triggering an alert
  • actions to perform when the triggering conditions are met

Enabling alerts via configuration files

This chapter deals with alerting from a Splunk administrator's perspective, and focuses on configuring alerts via configuration files, as well as the configuration of scripted alerts such as SNMP traps.

Before reading this topic you should be thoroughly familiar with the material on alerting in the User Manual. There you'll find:

Enable alerts

Set up an alert at the time you create a saved search, or define an alert around any existing saved search you have permission to edit. Configure alerts via:

Specify overall email settings for alerts

To configure the mail host, SMTP email security, email format, subject, and sender, and to identify whether or not the results of the alert should be included inline:

  • In Splunk Web, click Manager > System settings > Email alert settings and specify your choices.
  • Click Save.

All alerts will now use these settings.

Scripted alerts

Alerts can also trigger shell scripts. When you configure an alert, specify a script you've written. You can use this feature to send alerts to other applications. Learn more about configuring scripted alerts.

You can use scripted alerts to send syslog events, or SNMP traps.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.2/Admin/HowdoesalertingworkinSplunk"

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!