Create scheduled alerts
Create a scheduled alert to search for events on a regular schedule. You can configure scheduling, trigger conditions, and throttling to customize the alert.
Using cron expressions
You can use a cron expression to customize alert scheduling. See Use cron expressions for scheduling to learn more.
Create a scheduled alert
- Use cron expressions for scheduling
- Alert scheduling tips
- Configure alert trigger conditions
- Monitor triggered alerts
- Navigate to the Search page in the Search and Reporting app.
- Create a search.
- Select Save As>Alert.
- Enter a title and optional description.
- Specify permissions.
- Configure alert scheduling. There are two options for scheduling.
Option Next steps for this option Select one of the available scheduling options and set a time. None. For further customization, select Run on Cron Schedule to use a time range and cron expression.
- Enter the Earliest and Latest values for the search time range. These values override the original search time range. To avoid overlaps or gaps, the execution schedule should match the search time range. For example, to run a search every 20 minutes the search time range should also be 20 minutes (-20m).
- Enter a cron expression to schedule the search. See cron expression examples here: Use cron expressions for scheduling.
- (Optional) Change the Expires setting. This setting controls the lifespan of triggered alert records, which appear on the Triggered Alerts page.
- Configure trigger conditions.
- (Optional) Configure a trigger throttling period.
- Select one or more alert actions that should happen when the alert triggers.
- Click Save.
Alert type and triggering scenarios
Use cron expressions for alert scheduling
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2106, 8.1.2103, 8.2.2105, 8.2.2107, 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release), 8.2.2202