Splunk® Enterprise

Alerting Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Alert examples

Use these examples to learn how to use alert types and triggering options. Each example includes a summary of the alerting use case and components. The examples also include steps for creating the alerts.


Scheduled alert example

A scheduled alert searches for events on a regular basis. It triggers an alert action if results meet the conditions that you specify.


Alert example summary

Use case
Track errors on a Splunk instance. Send an email notification if there are more than five errors in a twenty-four hour period.
Alert type
Scheduled
Search
Look for error events in the last twenty-four hours.
Schedule
Run the search every day at the same time. In this case, the search runs at 10:00 A.M.
Trigger conditions
Trigger the alert action if the search has more than five results.
Alert action
Send an email notification with search result details.

Set up the alert

  1. From the Search Page, create the following search.
    index=_internal " error " NOT debug source=*splunkd.log* earliest=-24h latest=now
    
  2. Select Save As > Alert.
  3. Specify the following values for the fields in the Save As Alert dialog box.
    • Title: Errors in the last 24 hours
    • Alert type: Scheduled
    • Time Range: Run every day
    • Schedule: At 10:00
    • Trigger condition: Number of Results
    • Trigger when number of results: is greater than 5.
  4. Select the Send Email alert action.
  5. Set the following email settings, using tokens in the Subject and Message fields.
    • To: email recipient
    • Priority: Normal
    • Subject: Too many errors alert: $name$
    • Message: There were $job.resultCount$ errors reported on $trigger_date$.
    • Include: Link to Alert and Link to Results

      Accept defaults for all other options.
  6. Click Save.

Real-time alert example

A real-time alert searches continuously for results in real time. You can configure real-time alerts to trigger every time there is a result or if results match the trigger conditions within a particular time window.


Alert example summary

Use case
Monitor for errors as they occur on a Splunk instance. Send an email notification if more than five errors occur within one minute.
Alert type
Real-time
Search
Look continuously for errors on the instance.
Trigger conditions
Trigger the alert if there are more than five search results in one minute.
Alert action
Send an email notification.

Set up the alert

  1. From the Search Page, create the following search.
    index=_internal " error " NOT debug source=*splunkd.log*
  2. Select Save As > Alert.
  3. Specify the following values for the alert fields.
    • Title: Errors reported (Real-time)
    • Alert type: Real-time
    • Trigger condition: Number of Results
    • Trigger if number of results: is greater than 5 in 1 minute.
  4. Select the Send email alert action.
  5. Specify the following email settings, using tokens in the Subject and Message fields.
    • To: email recipient
    • Priority: Normal
    • Subject: Real-time Alert: $name$
    • Message: There were $job.resultCount$ errors.
    • Include: Link to Alert, Link to Results, Trigger Condition, and Trigger Time.
    Accept defaults for all other options.
  6. Click Save.

Throttle the real-time alert

Throttle an alert to reduce its triggering frequency and limit alert action behavior. For example, you can throttle an alert that generates more email notifications than you need.

Throttle the example real-time alert. The following settings change the alert triggering behavior so that email notifications only occur once every ten minutes.

  1. From the Alerts page in the Search and Reporting app, select the alert. The alert details page opens.
  2. Next to the alert Trigger conditions, select Edit.
  3. Select the Throttle option. Specify a 10 minute period.
  4. Click Save.

Custom trigger condition example

When you create an alert you can use one of the available result or field count trigger condition options. You can also specify a custom trigger condition. The custom condition works as a secondary search on the initial results set.

Alert example summary

Use case
Use the Triggered Alerts list to record WARNING error instances.
Alert type
Real-time
Search
Look for all errors in real-time.
Triggering condition
Check the alert search results for errors of type WARNING. Trigger the alert action if results include any WARNING errors.
Alert action
List the alert in the Triggered Alerts page.

Set up the alert

  1. From the Search and Reporting home page, create the following search.
    index=_internal source="*splunkd.log" ( log_level=ERROR OR log_level=WARN* OR 
    log_level=FATAL OR log_level=CRITICAL)
  2. Select Save As > Alert.
  3. Specify the following alert field values.
    • Title: Warning Errors
    • Alert type: Real-time
    • Trigger condition: Custom
    • Custom Condition: search log_level=WARN* in 1 minute
  4. Select the List in Triggered Alerts alert action.
  5. Click Save.
Last modified on 10 June, 2016
Additional alert configuration options   Configure alerts in savedsearches.conf

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters