Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Additional alert configuration options

It is recommended to create alerts in the Search page and edit them from the Alerts page. In rare cases, authorized users might access the Searches, reports, and alerts page for the following configurations.


Enable summary indexing

Summary indexing is available on scheduled alerts. It can help you perform analysis or report on large amounts of data over long time ranges. Typically, this is time consuming and can impact performance if several users are running similar searches on a regular basis.

Prerequisites
Ensure that the alert's search generates statistical or summary data.

Steps

  1. Using the top-level navigation bar, select Settings>Searches, Reports, and Alerts.
  2. Select the alert to open the alert detail page.
  3. To enable the summary index to gather data on a regular interval, set Alert condition to '"Always".
  4. For a scheduled alert, select Enable under Summary Indexing. If not already specified, this sets the Alert condition to "Always". This option is not available for real-time alerts.
  5. Click Save.

Searches and summary indexing

To use summary indexing with an alert, create a search that computes statistics or a summary for events over a period of time. Search results are saved into a summary index that you designate. You can search over this smaller summary index instead of working with the larger original dataset.

It is typical to use reporting commands in a search that populates a summary index. See Use summary indexing for increased reporting efficiency in the Knowledge Manager manual.



Configure triggered alert expiration

By default, each alert trigger record on the Triggered Alerts page expires after twenty-four hours. Here are steps for updating triggered alert expiration. These steps apply only to alerts with the "Add to Triggered Alerts" action enabled.

  1. From the top-level navigation bar, select Settings > Searches, reports, and alerts.
  2. Locate the alert that you want to modify under Search Name.
  3. Select the alert. A configuration dialog opens.
  4. Scroll to the Expiration settings dropdown.
  5. Configure expiration time. Here are the available options.
  6. Option Additional steps for this option
    Select one of the preset expiration options. None
    Select Custom Use the text field and dropdown to define a custom expiration time.
  7. Click Save.

Convert an existing search to an alert

  1. From the top-level navigation bar, select Settings > Searches, reports, and alerts.
  2. Locate the search that you want to convert to an alert.
  3. Select the search. An editing dialog opens.
  4. Under the Schedule and alert options, click "Schedule this search".
  5. Specify details for the alert.
  6. Click Save.
PREVIOUS
Triggered alerts
  NEXT
Alert examples

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters