Review triggered alerts
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Review triggered alerts
You can review a listing of your recently triggered email alert records in the Alert Manager. You open the Alert Manager by clicking the Alerts link at the upper right-hand corner of the Splunk UI. It opens as a new window.
The Alert Manager displays records of triggered alerts that have Tracking selected in their alert definition. Tracking is selected by default for all alerts except those that have a Condition setting of Always.
When you define an alert, you use the Alert expiration setting to determine how long Splunk holds on to the alert records after the alert is triggered. The alert records are removed from the Alert Manager by Splunk according to the Alert expiration setting of their parent alert. If the Alert expiration setting is Never then the alert records generated by that alert remain on the Alerts page until you delete them.
Note: The Alert Manager displays records for triggered alerts that are based on existing saved searches, even if you disable the alerting aspect of those searches after the alerts were triggered. The Alert Manager will not display records of triggered alerts that are based on deleted saved searches, however.
For more information about alerts and alert definition, see "Create an alert" in this manual.
You can filter the Alert Manager listing by app, alert severity, and alert type. You can also search for specific keywords using the search box. The keyword search applies to fired alert names (which are the same as the names of the searches or reports upon which the alerts are based) and the alert severity (so you can search specifically for alerts of Critical severity, if necessary).
Additionally, the Alert Manager enables you to delete individual alert records.
Note that the Severity column enables you to quickly spot those alert records that have been given a higher severity level (such as High or Critical). You define alert severity when you set up or update the alert definition.
Splunk associates each alert record with a saved search artifact that holds the results of the search that triggered the alert. Click the name of a specific alert record to see the results captured in the related search artifact, back in your main Splunk browser window.
Click the name of a specific alert record to see the results captured by that alert back in your main Splunk browser window. This is a search job artifact; it won't contain any events that weren't returned by the search job that originally triggered the alert.
For example, say you have a Firewall breach alert with an Alert expiration setting of 1 day. If the Firewall breach alert is triggered at 3pm, the related alert record will be deleted from the Alert Manager at 3pm the next day.
Setting up tracking when upgrading to 4.2
When you upgrade your Splunk instance to 4.2, be aware that by default existing alerts do NOT show up in the alert manager. To quickly update your existing alerts so that they show up in the alert manager, edit the relevant copy of
alert.track = true to the stanzas of each saved search that you have set up as an alert and want to see tracked in the Alert Manager. Review "About configuration files" in the Admin Manual for details about configuration files.