Create per-result alerts
The per-result alert is the most basic type of alert. It runs in real-time over an "all-time" time span. The alert triggers whenever the search returns a result.
You can create a search to retrieve events from an index. You can also use use transforming commands to return results based on processing the retrieved events. A per-result alert triggers in both cases, when the search returns an event or when a transforming command returns results.
Create a per-result alert
The following procedure shows how to create a per-result alert.
- From the Search Page, enter the following search:
index=_internal (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events
- Select Save As > Alert
- In the Save As Alert dialog box, enter a Title for the alert.
- For Alert Type, select Real Time.
A per-result alert is always a real-time alert type.
- For trigger condition, select Per-Result.
For a per-result alert, you can select only the Per-Result trigger condition.
- Click Next.
- Select the actions you want to enable.
For this example, select List in Triggered Alert.
See Set up alert actions for information on other actions.
- Click Save.
- Click Continue Editing.
Create scheduled alerts
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15