Use Manager to update and expand alert functionality
Alerts are essentially saved searches that have had extra settings configured for them. If you want to add or change alert settings for a preexisting saved search, go to Manager > Searches and reports and locate the search you'd like to update (if you're updating an existing alert, look for a search with the same name as the alert). Click the search name to open the search detail page. The Searches and reports page contains all of the settings that you would otherwise see in the Create Alert dialog box, plus a few additional alerting settings that are only available on that page. You may need to select the Schedule this search checkbox to expose the scheduling and alert setup controls if the search hasn't been defined as an alert already.
When you are in Manager, keep in mind that you can only edit existing searches that you have both read and write permissions for. Searches can also be associated with specific apps, which means that you have to be using that app in order to see and edit the search. For more information about sharing and promoting saved searches (as well as other Splunk knowledge objects), see "Manage knowledge object permissions" in the Knowledge Manager manual.
Define the alert retention time
You can determine how long Splunk keeps a record of your triggered alerts. You can manage alert expiration for preexisting alerts in Manager > Searches and Reports. On the detail page for an alerting search, use the Expiration field to define the amount of time that an alert's triggered alert records (and their associated search artifacts) are retained by Splunk.
You can choose a preset expiration point for the alert records associated with this search, such as after 24 hours, or you can define a custom expiration time.
Note: If you set an expiration time for an alert's alert records, be sure to also set the alert up so that Splunk keeps records of the triggered alerts on the Alert Manager page. To do this in the Alert Manager dialog box, select Show triggered alerts in Alert Manager under Enable actions on the Actions step. To set this up in Manager > Searches and Reports, go to the detail page for the alerting search and enable the Tracking alert action.
To review and manage your triggered alerts, go to the Alert manager by clicking the Alerts link in the upper right-hand corner of the Splunk interface. For more information about using it, see the "Review triggered alerts" topic in this manual.
Enable summary indexing for an alert
You can also enable summary indexing for any report or alert. Summary indexing allows you to write the results of a report to a separate index and allows for faster searches overall by limiting the amount of results to what the report generates. To enable this feature, click the Enable checkbox under the Summary Indexing section.
Note: If you enable summary indexing on an alert, Splunk limits the Alert condition to "always". This is because summary indexing for an alert cannot be conditional. If you want the alert to trigger only on certain conditions, you must disable summary indexing for the alert.
Define rolling-window alerts
Set up alert actions
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18