Alerts in the Splunk Metrics Workspace
Use alerts to monitor and respond to specific behavior in your data. Metrics Workspace alerts are based on a specific chart. Alerts use a scheduled search of chart data and trigger when search results meet specific conditions.
To create alerts in the workspace, you need specific permissions. See Hardware and software requirements for the Splunk Metrics Workspace for details.
To learn more about alerting in the Splunk platform, see Getting started with alerts in the Alerting Manual.
Parts of an alert
Alerts in the Metrics Workspace consist of alert settings, trigger conditions, and trigger actions.
Configure what you want to monitor in alert settings. Alert settings include:
- Alert title
- Alert description
- Permissions. Whether the alert is private or shared in the workspace.
- How often you want to check alert conditions. For example, "Evaluate every 10 minutes".
Set trigger conditions to manage when an alert triggers. Trigger conditions consist of an aggregation to measure, a threshold value, and a time period to evaluate.
For example, set trigger conditions to "Alert when Avg (over 10-second intervals) cpu.usage is greater than 10,000 in the last 20 minutes". The alert triggers when the aggregate average for cpu.usage exceeds 10,000 at any point in the last twenty minutes.
An alert does not have to trigger every time conditions are met. Throttle an alert to control how soon the next alert can trigger after an initial alert.
Configure trigger actions to manage alert responses. By default, you can view detailed information for triggered alerts on the Triggered Alerts page in Splunk. To access the Triggered Alerts page, select Activity > Triggered Alerts from the top-level navigation bar.
Specify a severity level to assign a level of importance to an alert. Severity levels can help you sort or filter alerts on the Triggered Alerts page. Available severity levels include Info, Low, Medium, High, and Critical.
Create an alert
Create an alert in the Metrics Workspace to monitor your data for certain conditions.
- In the main panel, select the chart you want to use for the alert.
- Click the icon.
- Click Save as Alert.
- Under Settings, fill in the following fields: Title, Description, Permissions, and how often to check alert conditions.
- Under Trigger Conditions, fill in the following fields: Aggregation, Threshold, evaluation window, and throttle settings.
- (Optional) Under Trigger Actions, click the + Add Actions drop-down list, and select additional actions for when the alert triggers. Triggered alerts are added to the Triggered Alerts page in the Splunk platform by default.
- Click the Severity drop-down list, and select a severity level for the alert.
- Click Save.
View alerts that were previously created in the Metrics Workspace to monitor and respond to alert activity. Alerts show the same time range and hairline as other charts. Add an alert to the workspace through the Data panel. For more information, see Types of data in the Splunk Metrics Workspace.
Alert chart actions
|Edit Alert||Modify alert conditions.|
|Search Related Events||View a list of related log events.|
|Open in Search||Show the SPL that drives the alert in the Search & Reporting App.|
Select an alert in the Metrics Workspace to view its details. Alert details show in the Analysis panel. These details include the settings, trigger conditions, and severity level configured for the alert.
Show triggered instances to see when alert conditions are met.
- In the main panel, select the alert to show triggered instances.
- In the Analysis panel under Settings, select Show triggered instances.
Triggered instance annotations appear at the end of the evaluation window in which the alert triggers, not at the time the alert threshold is crossed.
|Severity level||Badge color|
The following alert shows CPU overutilization for the
This alert is based on the aggregate average of system.cpu metric values. The blue alert badge indicates a severity level of Info. The horizontal blue line shows the alert threshold (1.0m). The annotations show triggered instances for the alert.
Analytics in the Splunk Metrics Workspace
Dashboards in the Splunk Metrics Workspace
This documentation applies to the following versions of Splunk® Metrics Workspace (Legacy): 1.0.0, 1.0.1