Create per-result alerts
The per-result alert is the most basic type of alert. It runs in real-time over an "all-time" time span. The alert triggers whenever the search returns a result.
You can create a search to retrieve events from an index. You can also use transforming commands to return results based on processing the retrieved events. A per-result alert triggers in both cases, when the search returns an event or when a transforming command returns results.
Create a per-result alert
The following procedure shows how to create a per-result alert.
- From the Search Page, enter the following search:
index=_internal (log_level=ERROR OR log_level=WARN* OR log_level=FATAL OR log_level=CRITICAL) | stats count as log_events
- Select Save As > Alert
- In the Save As Alert dialog box, enter a Title for the alert.
- For Alert Type, select Real Time.
A per-result alert is always a real-time alert type.
- For trigger condition, select Per-Result.
- Select the actions you want to enable.
For this example, select List in Triggered Alert.
See Set up alert actions for information on other actions.
- Click Save.
Create scheduled alerts
Create rolling-window alerts
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14