Splunk® Enterprise

Alerting Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Triggered alerts

You can see records of recently triggered alerts in the Alert Manager. A triggered alert appears in the Alert Manager under the following conditions:

  • The List in Triggered Alert action is enabled for the alert.
  • The alert triggered recently.
  • The retention time span for the alert has not been reached.
  • The triggered alert listing has not been deleted.

Open the Alert Manager

The Alert Manager is available from the Splunk Web menu. When listing triggered alerts, the Alert Manager provides details on the following:

  • Time: When the alert fired.
  • Fired alerts: The name of the alert.
  • App: The app for the alert.
  • Type: Real-time or scheduled.
  • Severity: The severity level.
  • Mode: Digest or Per Result. For Digest, the alert represents a set of events. Per Result represents a single event.
  • Actions: Links to view results of the alert, edit the base search, and delete the triggered alert listing.
  1. From the Splunk Enterprise menu bar, select Activity > Triggered Alerts.
    The Alert Manager displays the triggered alerts that are available for viewing.

    Alert triggered.png
  2. In the Alert Manager, filter the results according to App, Owner, Severity, and Alert name.
  3. (Optional) Use the keyword search to find fired alerts by alert name or app name containing the alert.
  4. (Optional) Take the following actions from the Alert Manager:
  • View the results.
  • Edit the search for an alert.
  • Delete a triggered alert listing.

Enable an alert for listing in the Alert Manager

There are several ways you can enable or disable an action for an alert. To make an alert eligible for listing in the Alert Manager, enable the List in Triggered Alerts action.

Alert enable triggered.png

The dialog to enable this action appears in various workflows.

  • When creating the alert.
  • From the listing of alerts in the Alerts page, select Edit > Edit Actions.
  • From an alert detail page, for Actions, select Edit.
  • From Settings > Searches, reports, and alerts, click the name of the alert. Scroll to the List in Triggered Alerts check box.

When listing an alert, you specify the Severity of the alert. Severity levels are informational only. They let you group and highlight alerts in the Alert Manager according to severity level.

Alert retention

By default, the Alert Manager retains a listing of a triggered alert for 24 hours. You can customize the alert retention period from Settings. After the retention period expires, the alert is no longer available from the Alert Manager.

You can also manually delete the listing of an alert from the Alert Manager.

  1. From the Splunk Enterprise menu bar, select Settngs > Searches, reports, and alerts.
  2. In the listing, click the Search Name for the alert you want to modify.
  3. In the dialog box that opens, scroll to the Expiration menu.
  4. Select a preset from the menu or select Custom to define a custom time for expiration.
    The Expiration setting applies only to alerts that enable the List in Triggered Alerts action.

    Alert retention.png
  5. Click Save.

Delete a triggered alert listing

You can remove a triggered alert listing from the Alert Manager in the following ways:

  • Specify a retention time
    The triggered alert listing is deleted when the retention time expires. See Alert retention.
  • Delete triggered alert listings manually
    You can select one or more alerts from the listing and click Delete. You can delete individual alerts by clicking the Delete link in the listing.
  • Disable the alert
    Disabling an alert removes all listings of triggered alerts from the Alert Manager. It also removes the listing from the alert details page. You can disable an alert from Settings, the Alerts page, and the detail page for an alert.
Alert examples
Configure alerts in savedsearches.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters