Update and expand alert functionality in Settings
Add or change an alert search or settings.
- Go to Settings > Searches, reports, and alerts.
- On this page, locate the alert to update. Click the alert name. An alert configuration page opens.
- The configuration page contains all of the settings that you see in the Save As Alert dialog, with a few additional alerting settings that are only available on this page.
- Enter or update the alert search or configuration as needed.
- Click Save to save your changes.
Note: You might need to select the Schedule this search checkbox to expose the scheduling and alert setup controls if the report hasn't already been defined as an alert.
The Expiration fields and the Summary Indexing Enable checkbox are two alert definition options that are only available on the Searches and Reports detail page. See the subsections below for more information on these options.
When you are in Settings, you can only edit existing alerts that you have both read and write permissions for. Alerts can also be associated with specific apps, which means that you have to be using that app in order to see and edit the search. For more information about sharing and promoting alerts (as well as other Splunk knowledge objects), see "Manage knowledge object permissions" in the Knowledge Manager manual.
Define the alert retention time with the Expiration fields
In the Searches and Reports section of Settings, you can determine how long Splunk keeps a record of your triggered alerts. On the detail page for an alerting report, use the Expiration fields to define the amount of time that an alert's triggered alert records (and their associated search artifacts) are retained by Splunk.
You can choose a preset expiration point for the alert records associated with this search, such as after 24 hours, or you can define a custom expiration time.
Note: If you set an expiration time for an alert's alert records, be sure to also set the alert up so that Splunk keeps records of the triggered alerts on the Alert Manager page. To do this in either the Alert Manager dialog box or the Settings > Searches and Reports page, go to the detail page for the alerting report and enable the List in Triggered Alerts alert action.
To review and manage your triggered alerts, go to the Alert manager by clicking the Triggered Alerts link in the upper right-hand corner of the Splunk bar. For more information about using it, see the "Review triggered alerts" topic in this manual.
Enable summary indexing for an alert
You can also enable summary indexing for any report or alert. Summary indexing allows you to write the results of a report to a separate index and allows for faster searches overall by limiting the amount of results to what the report generates. To enable this feature, click the Enable checkbox under the Summary Indexing section.
Note: If you enable summary indexing on an alert, Splunk limits the Alert condition to "always". This is because summary indexing for an alert cannot be conditional. If you want the alert to trigger only on certain conditions, you must disable summary indexing for the alert.
Define rolling-window alerts
Set up alert actions
This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13