By default, only users with the Admin or Power roles can do the following.
- Create alerts.
- Run real-time searches.
- Schedule searches.
- Save searches.
- Share alerts.
Authorized users can share an alert with other app users by editing the alert permissions. When sharing an alert with a user without the Admin or Power role, the user needs permission to access the alerting features. For example, a user needs the capability to run a real-time search in order to access a real-time alert.
Admins can configure alert action permissions to change what alert actions are available to users in a particular app. For more information, see Alert Action Permissions.
Sharing an alert
You can configure sharing preferences when creating an alert or edit alert permissions later. Here are the steps for editing alert permissions.
- Navigate to the Alerts page in the Search and Reporting app.
- Find the alert you want to share and select Edit > Edit Permissions.
- Share the alert by configuring which users can access it. Here are the options.
Option Sharing description Owner Makes the alert private to the alert creator. App Display the alert for all users of the app. All apps Display the alert for all users of this Splunk deployment.
- Select read and write permissions for the user roles listed.
- Read: Users can see the alert on the Alerts page and run the alert in the app.
- Write: Users with appropriate permissions can modify, enable, and disable the alert.
Using custom alert actions
Alert action permissions
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3