Splunk® Enterprise

Alerting Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Alert types and scenarios

There are a few alert types that you can use. Each type works differently with a search to trigger alert actions. You can choose an alert type depending on what event you are tracking and when you want to know about it. You can also throttle an alert if you want to change its frequency.

Here are some scenarios for using each type of alert. To learn how to throttle an alert, see Throttle alerts and related searches.

Per result alert

Use a per result alert to notify when a real-time search returns a result that matches a condition. Typically, you specify a throttle condition so that the alert triggers only once for a specified time period.

Per result examples include the following:

  • Trigger an alert for every failed login attempt.
  • Trigger an alert when a specific type of error occurs on any host.
    You can choose field values that suppress hosts for which you do not want an alert notification.
  • Trigger an alert when a CPU on a host sustains 100% utilization for an extended period of time.
Caution: Be careful using a per result alert in a high availability deployment. If a peer is not available, a real-time search does not warn that the search might be incomplete. Use a scheduled alert for this scenario.

Scheduled alert

Use a scheduled alert to notify when a scheduled search returns results that meet a specific condition. A scheduled alert is useful when an immediate reaction to the alert is not a priority. Scheduled alert examples include:

  • Trigger an alert that runs daily, notifying when the number of items sold that day is less than 500.
  • Trigger an alert that runs hourly, notifying when the number of 404 errors in any hour exceeds 100.

Rolling-window alert

Use a rolling window alert to monitor the results of a real-time search within a specified time interval. For example, monitor the results every 10 minutes or every four hours. Rolling-window alert examples include:

  • Trigger an alert when a user has three consecutive failed logins within a 10 minute period.
    You can set a throttle condition to suppress an alert to once an hour from any user.
  • Trigger an alert when a host is unable to complete an hourly file transfer to another host.
    Set a throttle condition so the alert fires only once every hour for any specific host.
Caution: Be careful using a real-time search in a high availability deployment. If a peer is not available, a real-time search does not warn that the search might be incomplete. Use a scheduled alert for this scenario.
PREVIOUS
Getting started with alerts 		  NEXT
Create scheduled alerts

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters