Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Alert permissions

Alerts are knowledge objects with defined permissions. User roles and capabilities determine alert creation, usage, editing, and other permissions.

By default, only users with the Admin or Power roles can do the following.

  • Create alerts.
  • Run real-time searches.
  • Schedule searches.
  • Save searches.
  • Share alerts.

Authorized users can share an alert with other app users by editing the alert permissions. When sharing an alert with a user without the Admin or Power role, the user needs permission to access the alerting features. For example, a user needs the capability to run a real-time search in order to access a real-time alert.

Admins can configure alert action permissions to change what alert actions are available to users in a particular app. For more information, see Alert Action Permissions.

Sharing an alert

You can configure sharing preferences when creating an alert or edit alert permissions later. Here are the steps for editing alert permissions.

  1. Navigate to the Alerts page in the Search and Reporting app.
  2. Find the alert you want to share and select Edit > Edit Permissions.
  3. Share the alert by configuring which users can access it. Here are the options.
  4. Option Sharing description
    Owner Makes the alert private to the alert creator.
    App Display the alert for all users of the app.
    All apps Display the alert for all users of this Splunk deployment.
  5. Select read and write permissions for the user roles listed.
    • Read: Users can see the alert on the Alerts page and run the alert in the app.
    • Write: Users with appropriate permissions can modify, enable, and disable the alert.
PREVIOUS
Using custom alert actions
  NEXT
Alert action permissions

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters