Splunk® Enterprise

Alerting Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Getting started with alerts

What is an alert?

If you want to receive notifications about certain events, you can use alerts. When you set up an alert, search results trigger an alert action if they match the alert's conditions.

Alert basics

To get started with an alert, there are a few things to consider.

  • Conditions: What do you want to know about?
    You can start with a search for the events you want to track. As an example, if you have an online store you can track when customers purchase your newest product. You can use an alert whose conditions are website purchase events that also involve this product.

  • Type and Frequency: How often do you want to know about the event?
    You can receive a notification about every customer purchase of a new product as it occurs. Or, you can get a notification on a weekly basis. You can choose continuous per-result, rolling, or scheduled alerts, and adjust their frequency.

  • Alert Action: What should happen when an alert is triggered?
    Once you set up an alert, when customer purchases of the new product show up in search results, they match the alert's conditions. Matching results trigger an alert action according to the frequency you choose. There are several options for alert actions. For example, you can receive an email or update a web resource in response to the triggered alert.

About alert types

There are a few alert types that you can use. Each type works differently with a search to trigger alert actions. You can choose an alert type depending on what event you are tracking and when you want to know about it.

Here is a quick reference guide to alert types and behavior:

Alert type How it works with searches Triggering this alert
Per-result alert Based on a continuous real-time search. This basic alert triggers any time its search returns a result.
Scheduled alert Runs a search according to a schedule that you specify when creating the alert. You can specify which search results trigger the alert.
Rolling-window alert Based on a continuous real-time search. You can specify the time window and the conditions that, together, trigger the alert.

To learn about choosing an alert type for different scenarios, see Alert types and scenarios.

For more information on setting up specific alerts, check out resources on creating per-result alerts, scheduled alerts, and rolling-window alerts in this manual.

You can also check out Alert examples to get an idea of how each alert type can work.

Choosing an alert type

You can consider using different alerts for different scenarios. Depending on how you want to search for results and set up an alert, you can opt for a per-result, scheduled, or rolling-window alert.

To see some example scenarios and learn about choosing an alert type, see Alert types and scenarios.

Managing alert frequency

You can throttle an alert if you want to change how often it runs an alert action. Throttling an alert does not change how often search results meet the alert conditions. Instead, it changes how often search results matching the alert conditions trigger an alert action.

To learn about changing alert frequency, look at Throttle Alerts and Related Searches in this manual.

Using alert actions

When search results match an alert's conditions, they trigger the alert action. What happens next?

There are many options for configuring alert actions. For example, you can opt for an email based on the search results. If you want to see updates in a chat room, blog, or other web resource, you can use a webhook alert action.

To learn about setting up different alert actions, see Set up alert actions in this manual.

Alert and alert action permissions

Alerts and alert actions are knowledge objects with defined permissions. User roles and capabilities determine alert and alert action permissions.

By default, only users with the Admin or Power roles can:

  • Create alerts.
  • Run real-time searches.
  • Schedule searches.
  • Save searches.
  • Share alerts.

To learn more about configuring alert permissions, see Alert Permissions.

To learn more about configuring alert action permissions, check out Alert Action Permissions and Using the Alert Action Manager.

To learn more about permissions for knowledge objects, see Manage knowledge object permissions in the Knowledge Manager manual.

Scheduled reports and scheduled alerts are not the same

A scheduled report is similar to a scheduled or rolling-window alert in some ways. You can schedule a report and set up an action to run each time the scheduled report runs.

Scheduled reports are different from alerts, however, because a scheduled report's action will run every time the report is run. The report action does not depend on trigger conditions like an alert action does.

As an example, you can monitor guest check-ins at a hotel using an hourly search. Here are the differences between a scheduled report and an alert with email notification actions.

  • Scheduled report: runs its action and sends an email every time the report completes, even if there are no search results showing check-ins. In this case, you get an email notification every hour.
  • Alert: only runs alert action when it is triggered by search results showing one or more check-in events. In this case, you only get an email notification if results trigger the alert action.

For more information about scheduled reports, see Schedule reports in the Reporting Manual.

Last modified on 28 October, 2015
Alert types and scenarios

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters