Splunk Cloud

Splunk Cloud Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use the Alerts panel

CMC provides preconfigured platform alerts for missing forwarders and skipped searches that you can enable. You can also create custom platform alerts using the global Searches, Reports, and Alerts page accessible through the CMC Alerts functionality.

When a CMC platform alert is triggered, Splunk Cloud administrators receive a message in Messages, which is available in the top Splunk Cloud bar. Splunk Cloud administrators can also review alerts on the Triggered Alerts page of the CMC app and the Alerts count column on the Searches, Reports, and Alerts page.

You must be on at least app version 2.1.1 to use the CMC platform alerts functionality. To check the app version, click Support & Services > About. The CURRENT APPLICATION area at the bottom of the About page shows the app's version and build numbers.

Review triggered alerts

To view triggered alerts:

  1. In the CMC navigation bar, click Alerts > Triggered Alerts.
  2. The page displays the name of any triggered alert and a timestamp of when it was triggered.

When either preconfigured alert is triggered, CMC displays an alert with a Medium severity level on the Triggered Alerts page.

The table describes the situations that trigger a preconfigured alert and the CMC dashboards to review to take further action.

Preconfigured alert Description Dashboards
SIM Alerts - Missing Forwarders Runs every 15 minutes and is triggered if there are any forwarders with a status of Missing. See the Forwarders: Deployment dashboard, especially the Missing Forwarder Alerts and Status and Configuration - As of <current_timestamp> panels.
SIM Alerts - Skipped Searches Runs every 60 minutes and is triggered if the number of skipped searches exceeds 20%. See the Skipped Scheduled Searches dashboard.

Review preconfigured alerts

In the CMC navigation bar, click Alerts > Configured Alerts. The table displays the preconfigured CMC alerts, SIM Alerts - Missing Forwarders and SIM Alerts - Skipped Searches, and any custom alerts that you or another Splunk Cloud administrator configured for your organization's deployment. Last Updated shows when an alert was edited.

Click the Enabled toggle to enable or disable an alert.

Click Edit to access the Searches, Reports, and Alerts page. You can view detailed information about an alert and perform specific actions, such as reviewing the alert definition and running the alert.

Do not edit the preconfigured alerts.

Manage CMC Alerts on the Searches, Reports, and Alerts page

To manage CMC platform alerts on the Searches, Reports, and Alerts page, follow these steps:

  1. Access this page through one of the following methods:
    • Click the Edit link adjacent to an alert on the Alerts > Configured Alerts page in the CMC app.
    • In the Splunk Cloud bar at the top of the page, click Settings. In the KNOWLEDGE section, click Searches, reports, and alerts.
  2. Set Type to Alerts.
  3. Set App to Cloud Monitoring Console (splunk_instance_monitoring).
  4. Set Owner to All or Nobody. The SIM alerts for CMC appear.
  5. In the Actions column, click Edit > Enable.

Create custom alerts

You can also create custom platform alerts using the Searches, Reports, and Alerts page. You can access this page through one of the two methods noted in step one of Manage CMC Alerts on the Searches, reports, and alerts page. Click the New Alert button to define an alert and the corresponding action (for example, send an email to the email account in a Splunk Cloud administrator's profile) to be performed when the alert is triggered.

For more information, see the following:

  • Set up alert actions in the Alerting Manual
  • The global Alert Actions page. To access this page, in the Splunk Cloud bar at the top of the page, click Settings. In the KNOWLEDGE section, click Alert actions.
Last modified on 18 February, 2021
PREVIOUS
Use the Overview dashboard
  NEXT
Use the Indexing dashboards

This documentation applies to the following versions of Splunk Cloud: 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters