Splunk® Metrics Workspace (Legacy)

Using the Splunk Metrics Workspace

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SMW. Click here for the latest version.
Acrobat logo Download topic as PDF

Alerts in the Splunk Metrics Workspace

Use alerts to monitor and respond to specific behavior in your data. Metrics Workspace alerts are based on a specific chart. Alerts use a scheduled search of chart data and trigger when search results meet specific conditions.

To create alerts in the workspace, you need specific permissions. See Hardware and software requirements for the Splunk Metrics Workspace for details.

To learn more about alerting in the Splunk platform, see Getting started with alerts in the Alerting Manual.

Parts of an alert

Alerts in the Metrics Workspace consist of alert settings, trigger conditions, and trigger actions.

Alert settings

Configure what you want to monitor in alert settings. Alert settings include:

  • Alert title
  • Alert description
  • Permissions. Whether the alert is private or shared in the workspace.
  • How often you want to check alert conditions. For example, "Evaluate every 10 minutes".

Trigger conditions

Set trigger conditions to manage when an alert triggers. Trigger conditions consist of an aggregation to measure, a threshold value, and a time period to evaluate.

For example, set trigger conditions to "Alert when Avg (over 10-second intervals) cpu.usage is greater than 10,000 in the last 20 minutes". The alert triggers when the aggregate average for cpu.usage exceeds 10,000 at any point in the last twenty minutes.

An alert does not have to trigger every time conditions are met. Throttle an alert to control how soon the next alert can trigger after an initial alert.

Trigger actions

Configure trigger actions to manage alert responses. By default, you can view detailed information for triggered alerts on the Triggered Alerts page in Splunk. To access the Triggered Alerts page, select Activity > Triggered Alerts from the top-level navigation bar.

Specify a severity level to assign a level of importance to an alert. Severity levels can help you sort or filter alerts on the Triggered Alerts page. Available severity levels include Info, Low, Medium, High, and Critical.

Create an alert

Create an alert in the Metrics Workspace to monitor your data for certain conditions.

  1. In the main panel, select the chart you want to use for the alert.
  2. Click the This screen image shows the More icon. icon.
  3. Click Save as Alert.
  4. Under Settings, fill in the following fields: Title, Description, Permissions, and how often to check alert conditions.
  5. Under Trigger Conditions, fill in the following fields: Aggregation, Threshold, evaluation window, and throttle settings.
  6. (Optional) Under Trigger Actions, click the + Add Actions drop-down list, and select additional actions for when the alert triggers. Triggered alerts are added to the Triggered Alerts page in the Splunk platform by default.
  7. Click the Severity drop-down list, and select a severity level for the alert.
  8. Click Save.

Manage alerts

View alerts that were previously created in the Metrics Workspace to monitor and respond to alert activity. Alerts show the same time range and hairline as other charts. Add an alert to the workspace through the Data panel. For more information, see Types of data in the Splunk Metrics Workspace.

Alert chart actions

Click the This screen image shows the More icon. icon in the top-right corner of an alert chart to view a list of alert chart actions.

Action Description
Edit Alert Modify alert conditions.
Search Related Events View a list of related log events.
Open in Search Show the SPL that drives the alert in the Search & Reporting App.

Alert details

Select an alert in the Metrics Workspace to view its details. Alert details show in the Analysis panel. These details include the settings, trigger conditions, and severity level configured for the alert.

Show triggered instances to see when alert conditions are met.

  1. In the main panel, select the alert to show triggered instances.
  2. In the Analysis panel under Settings, select Show triggered instances.

Triggered instances appear as This screen image shows the triggered instance chart annotation. annotations on the chart.

Triggered instance annotations appear at the end of the evaluation window in which the alert triggers, not at the time the alert threshold is crossed.

Use alert badges This screen image shows the gray alert badge. to gauge the alert severity level. To help you monitor alert activity, badge colors are based on the most recent severity level of a triggered alert.

Severity level Badge color
No trigger Gray
Info Blue
Low Green
Medium Yellow
High Orange
Critical Red


The following alert shows CPU overutilization for the system.cpu metric.

This screen image shows a chart of an alert for CPU Overutilization for the cpu.system metric. Triggered instances are annotated on the chart.

This alert is based on the aggregate average of system.cpu metric values. The blue alert badge indicates a severity level of Info. The horizontal blue line shows the alert threshold (1.0m). The This screen image shows the triggered instance chart annotation. annotations show triggered instances for the alert.

Last modified on 25 March, 2019
Analytics in the Splunk Metrics Workspace
Dashboards in the Splunk Metrics Workspace

This documentation applies to the following versions of Splunk® Metrics Workspace (Legacy): 1.0.0, 1.0.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters