The alerting workflow
Alerts combine a saved search, configurations for type and trigger conditions, and alert actions. Here are some details about how the different parts of an alert work together.
Search: What do you want to track?
- Start with a search for the events you want to track. Save the search as an alert.
Alert type: How often do you want to check for events?
- The alert uses the saved search to check for events. Adjust the alert type to configure how often the search runs. Use a scheduled alert to check for events on a regular basis. You can also use a real-time alert to monitor for events continuously.
Alert trigger conditions and throttling: How often do you want to trigger an alert?
- An alert does not have to trigger every time it generates search results. Set trigger conditions to manage when the alert triggers. You can also throttle an alert to control how soon the next alert can trigger after an initial alert.
Alert Action: What happens when the alert triggers?
- When an alert triggers, it can initialize one or more alert actions. An alert action can notify you of a triggered alert and help you start responding to it. You can configure alert action frequency and type.
Getting started with alerts
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0