Getting started with alerts
What is an alert?
If you want to receive notifications about certain events, you can use alerts. When you set up an alert, search results trigger an alert action if they match the alert's conditions.
To get started with an alert, there are a few things to consider.
- Conditions: What do you want to know about?
You can start with a search for the events you want to track. As an example, if you have an online store you can track when customers purchase your newest product. You can use an alert whose conditions are website purchase events that also involve this product.
- Type and Frequency: How often do you want to know about the event?
You can receive a notification about every customer purchase of a new product as it occurs. Or, you can get a notification on a weekly basis. You can choose continuous per-result, rolling, or scheduled alerts, and adjust their frequency.
- Alert Action: What should happen when an alert is triggered?
Once you set up an alert, when customer purchases of the new product show up in search results, they match the alert's conditions. Matching results trigger an alert action according to the frequency you choose. There are several options for alert actions. For example, you can receive an email or update a web resource in response to the triggered alert.
About alert types
There are a few alert types that you can use. Each type works differently with a search to trigger alert actions. You can choose an alert type depending on what event you are tracking and when you want to know about it.
Here is a quick reference guide to alert types and behavior:
|Alert type||How it works with searches||Triggering this alert|
|Per-result alert||Based on a continuous real-time search.||This basic alert triggers any time its search returns a result.|
|Scheduled alert||Runs a search according to a schedule that you specify when creating the alert.||You can specify which search results trigger the alert.|
|Rolling-window alert||Based on a continuous real-time search.||You can specify the time window and the conditions that, together, trigger the alert.|
To learn about choosing an alert type for different scenarios, see Alert types and scenarios.
You can also check out Alert examples to get an idea of how each alert type can work.
Choosing an alert type
To see some example scenarios and learn about choosing an alert type, see Alert types and scenarios.
Managing alert frequency
You can throttle an alert if you want to change how often it runs an alert action. Throttling an alert does not change how often search results meet the alert conditions. Instead, it changes how often search results matching the alert conditions trigger an alert action.
To learn about changing alert frequency, look at Throttle Alerts and Related Searches in this manual.
Using alert actions
When search results match an alert's conditions, they trigger the alert action. What happens next?
There are many options for configuring alert actions. For example, you can opt for an email based on the search results. If you want to see updates in a chat room, blog, or other web resource, you can use a webhook alert action.
To learn about setting up different alert actions, see Set up alert actions in this manual.
Alert and alert action permissions
By default, only users with the Admin or Power roles can:
- Create alerts.
- Run real-time searches.
- Schedule searches.
- Save searches.
- Share alerts.
To learn more about configuring alert permissions, see Alert Permissions.
To learn more about permissions for knowledge objects, see Manage knowledge object permissions in the Knowledge Manager manual.
Scheduled reports and scheduled alerts are not the same
A scheduled report is similar to a scheduled or rolling-window alert in some ways. You can schedule a report and set up an action to run each time the scheduled report runs.
Scheduled reports are different from alerts, however, because a scheduled report's action will run every time the report is run. The report action does not depend on trigger conditions like an alert action does.
As an example, you can monitor guest check-ins at a hotel using an hourly search. Here are the differences between a scheduled report and an alert with email notification actions.
- Scheduled report: runs its action and sends an email every time the report completes, even if there are no search results showing check-ins. In this case, you get an email notification every hour.
- Alert: only runs alert action when it is triggered by search results showing one or more check-in events. In this case, you only get an email notification if results trigger the alert action.
For more information about scheduled reports, see Schedule reports in the Reporting Manual.
Alert types and scenarios
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14