Splunk® Enterprise

Alerting Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Update alerts from Settings

The Searches, reports, and alerts view in Settings lets you enter the information to create and modify alerts. Some fields for modifying an alert are available only from the Settings. You typically create alerts from the Search page by saving a search as an alert. You typically modify alerts from the Alerts page or an alert detail page.

However, you can create, view, and update alerts from Settings. From Settings you can also define the retention time and enable summary indexing for alerts. Retention time defines how long to keep a record of triggered alerts, and associated artifacts, available. Summary indexing enables faster overall searching.

Note: Creating and editing alerts from Settings is for advanced users.

To view a listing of alerts in Settings:

  1. Select Settings > Searches, reports, and alerts.
    This view lists all saved searches and reports. An alert is a type of saved search.
  2. Filter the list of searches and reports using the App context and Owner menus.

Create an alert from Settings

  1. In the Searches, reports, and alerts view in Settings, click New.
    This opens a view that lets you create a new scheduled search.
  2. Fill in the details of the scheduled search you want to create.
  3. Click Schedule this search to create the alert.
  4. Specify details for the alert.
    The editing fields here correspond to the editing fields described in Create per-result alerts, Create scheduled alerts, and Create rolling-window alerts.
  5. Click Save.

Convert an existing search to an alert

  1. In the Searches, reports, and alerts view in Settings, locate the search for which you want to create an alert.
  2. Click the name of the search.
  3. Click Schedule this search to create the alert.
  4. Specify details for the alert.
    The editing fields here correspond to the editing fields described in Create per-result alerts, Create scheduled alerts, and Create rolling-window alerts.
  5. Click Save.

Modify an alert from Settings

The following alert properties are only available from the Searches, reports, and alerts view.

  • Expiration
  • Summary indexing

See Define alert retention time and Enable summary indexing for an alert for details. To modify an alert from this view:

  1. In the Searches, reports, and alerts view in Settings, locate the alert that you want to modify.
  2. Click the name of the search.
  3. Click Schedule this search to create the alert.
  4. Specify details for the alert.
    The editing fields here correspond to the editing fields described in Create per-result alerts, Create scheduled alerts, and Create rolling-window alerts.
  5. Click Save.

Define alert retention time

Retention time is how long to keep a record of triggered alerts, and associated artifacts, available. You can view the listing of triggered alerts from the detail page for an alert.

  1. When editing an alert, select the retention time from the Expiration menu.
    Select from the presets or specify a custom time.
  2. Verify that the List in Triggered Alerts check box is selected.

To review and manage your triggered alerts, go to the Alert manager by clicking the Triggered Alerts link on the Splunk Bar. For more information, see Review triggered alerts in this manual.

Enable summary indexing for an alert

You can enable summary indexing for an alert. Summary indexing lets you write the results of a report to a separate index. This enables faster searching overall. See Use summary indexing for increased reporting efficiency.

  • To enable summary indexing, click the Enable check box in the Summary Indexing section.
    The Alert condition changes to "always." Summary indexing for an alert cannot be conditional. If you want the alert to trigger on certain conditions, disable summary indexing for the alert.
PREVIOUS
Enable summary indexing
  NEXT
Alert examples

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters