Splunk® Enterprise

Alerting Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Triggered alerts

Review all recently triggered alerts on the Triggered Alerts page.

For information on configuring the "Add to Triggered Alerts" action, see Monitor triggered alerts.

Triggered alert listing

Alerts appear on the Triggered Alerts page under the following conditions.

  • The "Add to Triggered Alerts" action is enabled for the alert.
  • The alert triggered recently.
  • The alert retention time is not complete.
  • The triggered alert listing has not been deleted.

On the Triggered Alerts page, details appear in the following categories.

Category Description
Time Trigger date and time.
Fired alerts Triggered alert name(s).
App Alert app context.
Type Alert type.
Severity Assigned alert severity level. Severity levels can help you sort or filter alerts on this page.
Mode Alert triggering configuration mode. "Per-result" means that the alert triggered because of a single event. "Digest" means that the alert triggered because of a group of events.

Records of triggered alerts are available for twenty-four hours by default. You can configure this expiration time on a per-alert basis. For example, you can arrange to have the triggered alert records for an alert have a lifespan of seven days instead of twenty-four hours. See Configure triggered alert expiration for information on changing the alert record expiration setting for an individual alert.


Access and update triggered alerts

Here are steps for accessing and using the Triggered Alerts page.

Prerequisites
(Optional) Review Triggered alert listing.

Steps

  1. From the top-level navigation bar, select Activity > Triggered Alerts.
  2. Filter any displayed alerts according to App, Owner, Severity, and Alert (alert name).
  3. (Optional) Use the keyword search to find triggered alerts by alert name or app context.
  4. (Optional) Take the following actions from the Alert Manager.
  • View alert search results.
  • Edit the alert search.
  • Delete a triggered alert listing.

Delete a triggered alert listing

By default, triggered alert records on the Triggered Alerts page expire after twenty-four hours. There are a few ways to change whether a triggered alert listing appears on this page.

  • Update triggered alert listing expiration time.
  • Delete a triggered alert listing from the Triggered Alerts page.
  • Disable an alert to prevent it from triggering.
Last modified on 16 February, 2019
Using the alert actions manager   Additional alert configuration options

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters