How does alerting work in Splunk?
Alerts are searches that run either on a regular schedule or in real time; when certain conditions are met, the alerts are triggered. When an alert is triggered an "alert action"--such as an email to stakeholders with the results of the search, an update to an RSS feed, or the triggering of a shell script--takes place.
You can use alerts to notify you of changes in your data, network infrastructure, file system or other devices you're monitoring. You can turn any saved search into an alert.
An alert is comprised of:
- a schedule for performing the search
- conditions for triggering an alert
- actions to perform when the triggering conditions are met
Enabling alerts via configuration files
This chapter deals with alerting from a Splunk administrator's perspective, and focuses on configuring alerts via configuration files, as well as the configuration of scripted alerts such as SNMP traps.
Before reading this topic you should be thoroughly familiar with the material on alerting in the User Manual. There you'll find:
- Instructions for configuring alerts through the Splunk Web user interface, both through the Create Alert dialog box and the Alerts page in Manager.
- Discussion of a few representative alerting examples.
- Information about the Alert Manager, which enables you to review your triggered alerts.
Set up an alert at the time you create a saved search, or define an alert around any existing saved search you have permission to edit. Configure alerts via:
Specify overall email settings for alerts
To configure the mail host, SMTP email security, email format, subject, and sender, and to identify whether or not the results of the alert should be included inline:
- In Splunk Web, click Manager > System settings > Email alert settings and specify your choices.
- Click Save.
All alerts will now use these settings.
Alerts can also trigger shell scripts. When you configure an alert, specify a script you've written. You can use this feature to send alerts to other applications. Learn more about configuring scripted alerts.
You can use scripted alerts to send syslog events, or SNMP traps.
Configure bloom filters
Set up alerts in savedsearches.conf
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7