Create and modify alerts in Splunk App for Infrastructure
Use alerts to monitor and respond to specific events. Alerts trigger when alert thresholds set for a metric on an entity or group meet specific conditions. Creating an alert includes:
- Selecting metrics that the alert will track.
- Configuring a threshold for the alert that triggers when a tracked metric reaches the threshold.
- Configuring alert notifications to receive an email or VictorOps notification when a tracked metric triggers the alert.
When you create an alert, it appears in the Alerts drop-down in the Data section of the Analysis Workspace for the entity or group, and displays in the Entity or Group view of the Alerts page if triggered.
Create an alert
Follow these steps to configure an alert for an entity or group. Before creating an alert and sending an alert notification, you need to configure notification settings. For more information, see Configure Alert Notification Settings in Splunk App for Infrastructure.
- Select an entity or group from the Entity or Group view to drill down into the Analysis Workspace.
- From the Data section of the entity or group's Analysis Workspace, select a metric for which you want to create an alert.
- (Optional) Select a metric and click Split by (when viewing a metric for a group, Split all by) to split the metric by a specific dimension. You can split a metric by any dimension for an entity or group when creating an alert. If you split by a host-identifying dimension when creating a group alert, entities in the group that reach the threshold for the alert will trigger the alert and appear in the Entities view of the Alerts tab. If you do not split by a dimension when creating a group alert, or split by any dimension that's not a host-identifying dimension, the alert will trigger for the whole group, and will appear in the Groups view of the Alerts tab. Here are some examples of host-identifying dimensions:
- (Optional) Drag your cursor over a time area and data point in the chart to pinpoint what data to use to create the alert.
- In the top-right corner of the chart, click the icon.
- Click Create Alert. If you do not see the Create Alert option, you might not be logged in as a user with permissions to create alerts. The metrics panel also needs to contain data to create an alert.
- In the Create Alert window, set alert thresholds for the metric. The alert chart in the dialog visually displays the thresholds.
- (Optional) Enter a custom name for the alert following the character requirements. A Name for the alert is automatically generated.
- Set up trigger conditions for thresholds. The Critical threshold is required. You can adjust this threshold value, but the threshold cannot be deleted.
- (Optional) Click Add New Threshold to create a Warning threshold as well.
- For the If field, select greater than or less than to set the threshold hierarchy. If you select greater than, the Critical threshold is a maximum threshold. If you select less than, the Critical threshold is a minimum threshold.
- Modify the value to meet each threshold. You can enter a value or drag the point on the y-axis of the chart in the Create Alert window.
- Click Alert Notification to set up a notification. You can configure an alert to send notifications via email, VictorOps for Splunk, a Slack webhook, or a custom webhook when the alert severity improves, degrades, or changes at all. If you select one of the webhook notification options, you can select the default webhook you entered in the notification settings or enter a new one. For more information about configuring alert notifications, see Configure alert notifications in Splunk App for Infrastructure.
- When you are done configuring the alert, click Submit.
Edit an alert
Edit an alert to change threshold trigger conditions, or to add or change email recipients for notification for when the alert triggers.
Configure alert notifications in Splunk App for Infrastructure
Admin and user roles in Splunk App for Infrastructure
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5