Splunk® Enterprise

Alerting Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Create rolling-window alerts

Use a rolling-window alert to monitor and evaluate events in real time within a rolling window. The alert triggers only when it meets the trigger condition within a specified time period.

The rolling-window alert type is in some ways a hybrid of a per-result alert and a scheduled alert. A rolling-window alert and a per result alert both run in real-time. But unlike the per result alert, a rolling-window alert does not trigger each time the search returns a result. A rolling-window alert fires only when it meets specified trigger conditions within the specified time window. This makes the alert similar to a scheduled alert.

  1. From the Search Page, create the following search. Select Last 24 Hours for the time range:

    index=_internal (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events

  2. Select Save As > Alert
  3. In the Save As Alert dialog box, specify the following:

    • Title: Alert Example (Rolling-Window)
    • Alert Type: Real Time
    • Trigger alert when: Number of Results is Greater than 5
    • in: 30 minutes
    Alert rolling window.png
  4. Continue defining actions for the alert.
    See Set up alert actions.

Set the width of the rolling window

When you create a rolling-window alert, you specify a time span for a real-time search window. Real-time search windows can be any number of minutes, hours, or days. The alert monitors events as they pass through the window in real-time.

For example, you can create an alert that triggers when a login for a user fails four times in a 10 minute period. When the alert runs, various login failure events pass through this window. The alert triggers only when four login failures for the same user occur within the span of the 10 minute window.

This example might appear to fail in the following scenario. A user experiences three login failures in quick succession. After 11 minutes pass, the user has another login failure. The alert does not trigger because the first three failures and the fourth failure are in different time windows.

Set up triggering conditions for a rolling-window alert

Trigger conditions apply to two types of rolling-window alerts:

  • Basic conditional alert
  • Advanced conditional alert

You set the triggering conditions when you set values for the Trigger condition field in the Save As Alert dialog, as described in the following subtopics.

Basic conditional alert

A basic conditional alert triggers when the number of results from a search, within a specified time window, meet, exceed, or are less than a specified numerical value. When you create the alert, you can specify the following conditions:

  • Number of results
  • Number of hosts
  • Number of sources

You create a basic conditional alert for a rolling-window similarly to how you create one for a scheduled alert. See Set up triggering conditions for a scheduled alert for an example.

Advanced conditional alert

An advanced conditional alert uses a secondary, custom conditional search to evaluate the results of a scheduled or real-time search. For a rolling-window alert, the alert triggers when the custom search returns any number of results within the specified time window. If the alerting conditions are not met, then the custom conditional search should return zero results.

A secondary conditional search can help reduce the incidence of false positive alerts.

You create an advanced conditional alert for a rolling-window similarly to how you create one for a scheduled alert. See Set up triggering conditions for a scheduled alert for an example.

Last modified on 18 November, 2015
Create per-result alerts
Throttle alerts and related searches

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters