Splunk® Enterprise

Alerting Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Additional alert configuration options

It is recommended to create alerts in the Search page and edit them from the Alerts page. In rare cases, authorized users might access the Searches, reports, and alerts page for the following configurations.


Enable summary indexing

Summary indexing is available on scheduled alerts. It can help you perform analysis or report on large amounts of data over long time ranges. Typically, this is time consuming and can impact performance if several users are running similar searches on a regular basis.

Prerequisites
Ensure that the alert's search generates statistical or summary data.

Steps

  1. Using the top-level navigation bar, select Settings > Searches, Reports, and Alerts.
  2. Click Edit > Advanced Edit for the alert you'd like to modify.
  3. To enable the summary index to gather data on a regular interval, search for "alert_type" in the search widow in the upper-left section of the window. Set alert_type to always.
  4. For a scheduled alert, search for "summary" to view the summary index options. Set action.summary_index to true. If not already specified, this sets the Alert condition to "Always". This option is not available for real-time alerts.
  5. Click Save.

Searches and summary indexing

To use summary indexing with an alert, create a search that computes statistics or a summary for events over a period of time. Search results are saved into a summary index that you designate. You can search over this smaller summary index instead of working with the larger original dataset.

It is typical to use reporting commands in a search that populates a summary index. See Use summary indexing for increased reporting efficiency in the Knowledge Manager manual.


Update triggered alert record lifespans

By default, each triggered alert record on the Triggered Alerts page expires after 24 hours. You can update the lifespans for triggered alert records on a per-alert basis.

Here are steps for updating the lifespans of the triggered alert records for a specific alert. These steps apply only to alerts that have the "Add to Triggered Alerts" action enabled.

  1. From the top-level navigation bar, select Settings > Searches, reports, and alerts.
  2. (Optional) Select Type > Alerts to filter the list so it displays only alerts.
  3. Locate the alert that you want to modify under Name.
  4. Select Edit > Edit Alert.
  5. Define the lifespan of the triggered alert record by setting the Expires field.
    Enter an integer and select a time unit from the dropdown. For example, to have all triggered alert records for this alert have a three-day lifespan, enter 3 and select day(s).
  6. Click Save.
Last modified on 22 May, 2019
PREVIOUS
Triggered alerts
  NEXT
Alert examples

This documentation applies to the following versions of Splunk® Enterprise: 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters