Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Create scheduled alerts

Create a scheduled alert to search for events on a regular schedule. You can configure scheduling, trigger conditions, and throttling to customize the alert.

To compare scheduled and real-time alerts, see Alert types. To review scenarios for alert types and triggering, see Alert type and triggering scenarios.

Using cron expressions

You can use a cron expression to customize alert scheduling. See Use cron expressions for scheduling to learn more.

Create a scheduled alert

Prerequisites


Steps

  1. Navigate to the Search page in the Search and Reporting app.
  2. Create a search.
  3. Select Save As>Alert.
  4. Enter a title and optional description.
  5. Specify permissions.
  6. Configure alert scheduling. There are two options for scheduling.
    Option Next steps for this option
    Select one of the available scheduling options and set a time. None.
    For further customization, select Run on Cron Schedule to use a time range and cron expression.
    1. Enter the Earliest and Latest values for the search time range. These values override the original search time range. To avoid overlaps or gaps, the execution schedule should match the search time range. For example, to run a search every 20 minutes the search time range should also be 20 minutes (-20m).
    2. Enter a cron expression to schedule the search. See cron expression examples below.
  7. Configure trigger conditions.
  8. (Optional) Configure a trigger throttling period.
  9. Select one or more alert actions that should happen when the alert triggers.
  10. Click Save.

Additional resources

PREVIOUS
Alert type and triggering scenarios
  NEXT
Use cron expressions for scheduling

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Comments

HI @Sideview,
Thanks for your comment. I'll follow up with you directly to get more details, as I'm not finding the UI where this link shows up. Our current software version does not seem to include it.

Frobinson splunk, Splunker
February 3, 2017

Docs/Product bug -
On the create/edit alert screen in the product, under the "custom condition search", it says "Custom condition is a conditional search that Splunk applies to the results returned by the scheduled search" and then there's a "read more" link that goes to this page by mistake.

Sideview
February 2, 2017

HI @Petro chernli,
This is a good suggestion. I"ll add it to the docs.
Thanks!

Frobinson splunk, Splunker
October 5, 2016

I've been puzzled for couple of minutes what's the "day" parameter (third one) and how it's different from fifth parameter. Turns out its "Day(s) of Month"! Let's add it to the description, maybe?

Petro chernii
October 5, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters