Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

How does alerting work in Splunk?

Alerts are searches that run either on a regular schedule or in real time; when certain conditions are met, the alerts are triggered. When an alert is triggered an "alert action"--such as an email to stakeholders with the results of the search, an update to an RSS feed, or the triggering of a shell script--takes place.

You can use alerts to notify you of changes in your data, network infrastructure, file system or other devices you're monitoring. You can turn any saved search into an alert.

An alert is comprised of:

  • a schedule for performing the search
  • conditions for triggering an alert
  • actions to perform when the triggering conditions are met

Enabling alerts via configuration files

This chapter deals with alerting from a Splunk administrator's perspective, and focuses on configuring alerts via configuration files, as well as the configuration of scripted alerts such as SNMP traps.

Before reading this topic you should be thoroughly familiar with the material on alerting in the User Manual. There you'll find:

Enable alerts

Set up an alert at the time you create a saved search, or define an alert around any existing saved search you have permission to edit. Configure alerts via:

Specify overall email settings for alerts

To configure the mail host, SMTP email security, email format, subject, and sender, and to identify whether or not the results of the alert should be included inline:

  • In Splunk Web, click Manager > System settings > Email alert settings and specify your choices.
  • Click Save.

All alerts will now use these settings.

Scripted alerts

Alerts can also trigger shell scripts. When you configure an alert, specify a script you've written. You can use this feature to send alerts to other applications. Learn more about configuring scripted alerts.

You can use scripted alerts to send syslog events, or SNMP traps.

Configure bloom filters
Set up alerts in savedsearches.conf

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters