Configure alerts in savedsearches.conf
You can use Splunk Web to configure most alerts. If you have Splunk Enterprise, you can configure alerts by editing savedsearches.conf. For reference, see savedsearches.conf in the Splunk Enterprise Admin Manual.
- Splunk Cloud Platform
- Use the Splunk Web steps to configure alerts. See Create scheduled alerts. You can't configure alerts using the configuration files.
- Splunk Enterprise
- To configure alerts using the configuration files, follow these steps.
- Prerequisites
- Only users with file system access, such as system administrators, can configure alerts using configuration files.
- Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
- You can have configuration files with the same name in your default, local, and app directories. Read Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.
- Steps
- Open or create a savedsearch.conf file in the proper directory. See Configuration file paths.
- Create or edit the stanza for the saved search. See Example savedsearch.conf stanza.
Configuration file paths
Open or create a local savedsearch.conf file at $SPLUNK_HOME/etc/system/local.
For apps, open or create the savedsearches.conf file in the application directory: $SPLUNK_HOME/etc/apps/<app name>/local
Example savedsearch.conf stanza
Alerts use a saved search to look for events. savedsearches.conf contains a stanza for each saved search. The following example shows the stanza for a saved search with its alert action settings. In this case, the alert sends an email notification when it triggers.
[Too Many Errors Today] # send an email notification action.email = 1 action.email.message.alert = The alert condition for '$name$' in the $app$ fired with $job.resultCount$ error events. action.email.to = address@example.com action.email.useNSSubject = 1 alert.suppress = 0 alert.track = 0 counttype = number of events quantity = 5 relation = greater than # run every day at 14:00 cron_schedule = 0 14 * * * #search for results in the last day dispatch.earliest_time = -1d dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","latitude"] display.page.search.mode = verbose display.visualizations.charting.chart = area display.visualizations.type = mapping enableSched = 1 request.ui_dispatch_app = search request.ui_dispatch_view = search search = index=_internal " error " NOT debug source=*splunkd.log* earliest=-7d latest=now disabled = 1
For an example of configuring alerts, see the savedsearches.conf.example file in the Splunk Enterprise Admin Manual.
| Alert examples | Configure a script for an alert action |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!