Splunk® Enterprise

Alerting Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Update and expand alert functionality

You can update alerts from the following places in Splunk Web.

Location Description
Alerts page Provides a listing of all all alerts created within an app. It contains options for editing an alert. Click an alert entry to view the detail page for the alert.
Alert detail page Provides links to update an alert. When applicable, lists triggered alerts.
Settings Alerts are a type of saved search. You can view saved searches, reports, and alerts from the Searches, reports, and alerts view in Settings. From this view, you can do the following:

  • Create a new alert.
  • Create an alert based on an existing search.
  • Modify an alert.
  • Enable or disable an alert.
  • Delete alerts for which you have the appropriate permissions.

Alerts page

The Alerts page lists all alerts for an app. The Alerts page is available from the top-level menu for an app.

From the Alerts page you can do the following:

  • Specify which alerts to view:

    • All: View all alerts for which you have permissions to view.
    • Yours: View alerts that you have created.
    • This App's: View alerts for the current app.
      Only alerts for which you have permission to view display in the list.
  • Click an alert to open the detail page for an alert.
  • Open an alert from the Search page.
    Use this option to view or update the search for an alert.
  • Edit the details for an alert from the Edit menu.

Modify the search for an alert from the Alerts page

You can modify the search for an alert by opening the alert in Search.

  1. From the Alerts page, locate the alert that you want to modify.
  2. For the alert, click Open in Search.
  3. In the Search page, modify the search.
  4. Run the modified search.
  5. Click Save to update the alert. Click Save in the dialog box that opens.
  6. Select from the following:

    • View Alert
      Opens the detail page for the alert.
    • Continue Editing
      Return to the Search page
    • Permissions
      To view and modify the permissions for the alert.

Update the details of an alert

  1. From the Alerts page, locate the alert that you want to modify.
  2. For the alert, click Edit and select the detail that you want to modify.
    Update the alert in the Edit Alert dialog box that opens.
    For example, select Edit Actions and modify the alert actions that appear in the Edit Alert dialog.
  3. Click Save, then click Done.

Alert details page

The Alert details page provides access to editing views for alerts. You can modify the search and update details from this page.

The Alert details page also displays the trigger history for the alert.

Modify the search for an alert from the Alert detail page

  1. From the alert detail page, select Edit > Open in Search.
  2. In the Search page that opens, modify the search.
  3. Run the modified search.
  4. Click Save to update the alert. Click Save in the dialog that appears.
  5. Select from the following:

    • View Alert
      Opens the detail page for the alert.
    • Continue Editing
      Return to the search page
    • Permissions
      To view and modify the permissions for the alert.

View and modify alert details

The Alert details page provides a listing of the current settings for an alert. You can view and modify the following details:

  • Whether the alert is enabled
  • Alert type, Scheduled or Real-time
  • Trigger condition
  • Actions
  • Permissions

View an alert's trigger history

If you specify List in Triggered Alerts as an alert action, the alert detail page lists the trigger history for the alert.

From the trigger history you can view the results that triggered the alert.

You can also view trigger history from the Alerts Manager.

  1. From the Splunk Enterprise menu bar, select Activity > Triggered Alerts.
  2. In the Alert Manager, filter the results according to App, Owner, Severity, and Alert name.
  3. Take the following actions from the Alert Manager:
  • View the results.
  • Edit the search.
  • Delete a triggered alert listing.

For more information, see Review triggered alerts.

Update alerts from Settings

The Searches, reports, and alerts view in Settings lets you enter the information to create and modify alerts. Some fields for modifying an alert are available only from the Settings. You typically create alerts from the Search page by saving a search as an alert. You typically modify alerts from the Alerts page or an alert detail page.

However, you can create, view, and update alerts from Settings. From Settings you can also define the retention time and enable summary indexing for alerts. Retention time defines how long to keep a record of triggered alerts, and associated artifacts, available. Summary indexing enables faster overall searching.

Note: Creating and editing alerts from Settings is for advanced users.

To view a listing of alerts in Settings:

  1. Select Settings > Searches, reports, and alerts.
    This view lists all saved searches and reports. An alert is a type of saved search.
  2. Filter the list of searches and reports using the App context and Owner menus.

Create an alert from Settings

  1. In the Searches, reports, and alerts view in Settings, click New.
    This opens a view that lets you create a new scheduled search.
  2. Fill in the details of the scheduled search you want to create.
  3. Click Schedule this search to create the alert.
  4. Specify details for the alert.
    The editing fields here correspond to the editing fields described in Create per-result alerts, Create scheduled alerts, and Create rolling-window alerts.
  5. Click Save.

Convert an existing search to an alert

  1. In the Searches, reports, and alerts view in Settings, locate the search for which you want to create an alert.
  2. Click the name of the search.
  3. Click Schedule this search to create the alert.
  4. Specify details for the alert.
    The editing fields here correspond to the editing fields described in Create per-result alerts, Create scheduled alerts, and Create rolling-window alerts.
  5. Click Save.

Modify an alert from Settings

The following alert properties are only available from the Searches, reports, and alerts view.

  • Expiration
  • Summary indexing

See Define alert retention time and Enable summary indexing for an alert for details. To modify an alert from this view:

  1. In the Searches, reports, and alerts view in Settings, locate the alert that you want to modify.
  2. Click the name of the search.
  3. Click Schedule this search to create the alert.
  4. Specify details for the alert.
    The editing fields here correspond to the editing fields described in Create per-result alerts, Create scheduled alerts, and Create rolling-window alerts.
  5. Click Save.

Define alert retention time

Retention time is how long to keep a record of triggered alerts, and associated artifacts, available. You can view the listing of triggered alerts from the detail page for an alert.

  1. When editing an alert, select the retention time from the Expiration menu.
    Select from the presets or specify a custom time.
  2. Verify that the List in Triggered Alerts check box is selected.

To review and manage your triggered alerts, go to the Alert manager by clicking the Triggered Alerts link on the Splunk Bar. For more information, see "Review triggered alerts" in this manual.

Enable summary indexing for an alert

You can enable summary indexing for an alert. Summary indexing lets you write the results of a report to a separate index. This enables faster searching overall. See Use summary indexing for increased reporting efficiency.

  • To enable summary indexing, click the Enable check box in the Summary Indexing section.
    The Alert condition changes to "always." Summary indexing for an alert cannot be conditional. If you want the alert to trigger on certain conditions, disable summary indexing for the alert.
PREVIOUS
Create rolling-window alerts
  NEXT
Set up alert actions

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters