Splunk® Enterprise

Alerting Manual

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Alert permissions

Alerts are knowledge objects with defined permissions. User roles and capabilities determine alert creation, usage, editing, and other permissions.

By default, only users with the Admin or Power roles can do the following.

  • Create alerts.
  • Run real-time searches.
  • Schedule searches.
  • Save searches.
  • Share alerts.

Authorized users can share an alert with other app users by editing the alert permissions. When sharing an alert with a user without the Admin or Power role, the user needs permission to access the alerting features. For example, a user needs the capability to run a real-time search in order to access a real-time alert.

Admins can configure alert action permissions to change what alert actions are available to users in a particular app. For more information, see Alert Action Permissions.

Alerts can only run with the permissions of their owner, unlike unscheduled reports, which can run with the permissions of either their owner or their user.

See Determine whether to run reports as the report owner or report user in the Reporting Manual.

Sharing an alert

You can configure sharing preferences when creating an alert or edit alert permissions later. Here are the steps for editing alert permissions.

  1. Navigate to the Alerts page in the Search and Reporting app.
  2. Find the alert you want to share and select Edit > Edit Permissions.
  3. Share the alert by configuring which users can access it. Here are the options.
  4. Option Sharing description
    Owner Makes the alert private to the alert creator.
    App Display the alert for all users of the app.
    All apps Display the alert for all users of this Splunk deployment.
  5. Select read and write permissions for the user roles listed.
    • Read: Users can see the alert on the Alerts page and run the alert in the app.
    • Write: Users with appropriate permissions can modify, enable, and disable the alert.
Last modified on 21 February, 2019
Using custom alert actions   Alert action permissions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters