Create rolling-window alerts
Use a rolling-window alert to monitor and evaluate events in real time within a rolling window. The alert triggers only when it meets the trigger condition within a specified time period.
The rolling-window alert type is in some ways a hybrid of a per-result alert and a scheduled alert. A rolling-window alert and a per result alert both run in real-time. But unlike the per result alert, a rolling-window alert does not trigger each time the search returns a result. A rolling-window alert fires only when it meets specified trigger conditions within the specified time window. This makes the alert similar to a scheduled alert.
- From the Search Page, create the following search. Select Last 24 Hours for the time range:
index=_internal (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events
- Select Save As > Alert
- In the Save As Alert dialog box, specify the following:
- Title: Alert Example (Rolling-Window)
- Alert Type: Real Time
- Trigger Condition: Number of Results
- Trigger if number of results: is Greater than 5
- in: 30 minutes
- Click Next and continue defining actions for the alert.
Set the width of the rolling window
When you create a rolling-window alert, you specify a time span for a real-time search window. Real-time search windows can be any number of minutes, hours, or days. The alert monitors events as they pass through the window in real-time.
For example, you can create an alert that triggers when a login for a user fails four times in a 10 minute period. When the alert runs, various login failure events pass through this window. The alert triggers only when four login failures for the same user occur within the span of the 10 minute window.
This example might appear to fail in the following scenario. A user experiences three login failures in quick succession. After 11 minutes pass, the user has another login failure. The alert does not trigger because the first three failures and the fourth failure are in different time windows.
Set up triggering conditions for a rolling-window alert
Trigger conditions apply to two types of rolling-window alerts:
- Basic conditional alert
- Advanced conditional alert
You set the triggering conditions when you set values for the Trigger condition field in the Save As Alert dialog, as described in the following subtopics.
Basic conditional alert
A basic conditional alert triggers when the number of results from a search, within a specified time window, meet, exceed, or are less than a specified numerical value. When you create the alert, you can specify the following conditions:
- Number of results
- Number of hosts
- Number of sources
You create a basic conditional alert for a rolling-window similarly to how you create one for a scheduled alert. See Set up triggering conditions for a scheduled alert for an example.
Advanced conditional alert
An advanced conditional alert uses a secondary, custom conditional search to evaluate the results of a scheduled or real-time search. For a rolling-window alert, the alert triggers when the custom search returns any number of results within the specified time window. If the alerting conditions are not met, then the custom conditional search should return zero results.
A secondary conditional search can help reduce the incidence of false positive alerts.
You create an advanced conditional alert for a rolling-window similarly to how you create one for a scheduled alert. See Set up triggering conditions for a scheduled alert for an example.
Create scheduled alerts
Update and expand alert functionality
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15