Update and expand alert functionality in Settings
Alerts are reports that have had extra settings configured for them. You can add or change alert settings with the Searches and Reports page in Settings. Here's how you do it:
- Go to Settings > Searches and reports. On the Searches and Reports listing page, locate the search you'd like to update. If you're updating an existing alert, look for a search with the same name as the alert.
- Click the report name to open the report detail page. The report detail page contains all of the settings that you would otherwise see in the Save As Alert dialog box, plus a few additional alerting settings that are only available on this page.
- Enter or update the alert settings as necessary.
- Click Save to save your changes.
Note: You might need to select the Schedule this search checkbox to expose the scheduling and alert setup controls if the report hasn't already been defined as an alert.
The Expiration fields and the Summary Indexing Enable checkbox are two alert definition options that are only available on the Searches and Reports detail page. See the subsections below for more information on these options.
When you are in Settings, you can only edit existing reports that you have both read and write permissions for. Reports can also be associated with specific apps, which means that you have to be using that app in order to see and edit the search. For more information about sharing and promoting reports (as well as other Splunk knowledge objects), see "Manage knowledge object permissions" in the Knowledge Manager manual.
Define the alert retention time with the Expiration fields
In the Searches and Reports section of Settings, you can determine how long Splunk keeps a record of your triggered alerts. On the detail page for an alerting report, use the Expiration fields to define the amount of time that an alert's triggered alert records (and their associated search artifacts) are retained by Splunk.
You can choose a preset expiration point for the alert records associated with this search, such as after 24 hours, or you can define a custom expiration time.
Note: If you set an expiration time for an alert's alert records, be sure to also set the alert up so that Splunk keeps records of the triggered alerts on the Alert Manager page. To do this in either the Alert Manager dialog box or the Settings > Searches and Reports page, go to the detail page for the alerting report and enable the List in Triggered Alerts alert action.
To review and manage your triggered alerts, go to the Alert manager by clicking the Triggered Alerts link in the upper right-hand corner of the Splunk bar. For more information about using it, see the "Review triggered alerts" topic in this manual.
Enable summary indexing for an alert
You can also enable summary indexing for any report or alert. Summary indexing allows you to write the results of a report to a separate index and allows for faster searches overall by limiting the amount of results to what the report generates. To enable this feature, click the Enable checkbox under the Summary Indexing section.
Note: If you enable summary indexing on an alert, Splunk limits the Alert condition to "always". This is because summary indexing for an alert cannot be conditional. If you want the alert to trigger only on certain conditions, you must disable summary indexing for the alert.
Define rolling-window alerts
Set up alert actions
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15