By default, only users with the Admin or Power roles can do the following.
- Create alerts.
- Run real-time searches.
- Schedule searches.
- Save searches.
- Share alerts.
Authorized users can share an alert with other app users by editing the alert permissions. When sharing an alert with a user without the Admin or Power role, the user needs permission to access the alerting features. For example, a user needs the capability to run a real-time search in order to access a real-time alert.
Admins can configure alert action permissions to change what alert actions are available to users in a particular app. For more information, see Alert Action Permissions.
Alerts can only run with the permissions of their owner, unlike unscheduled reports, which can run with the permissions of either their owner or their user.
See Determine whether to run reports as the report owner or report user in the Reporting Manual.
Sharing an alert
You can configure sharing preferences when creating an alert or edit alert permissions later. Here are the steps for editing alert permissions.
- Navigate to the Alerts page in the Search and Reporting app.
- Find the alert you want to share and select Edit > Edit Permissions.
- Share the alert by configuring which users can access it. Here are the options.
- Select read and write permissions for the user roles listed.
- Read: Users can see the alert on the Alerts page and run the alert in the app.
- Write: Users with appropriate permissions can modify, enable, and disable the alert.
|Owner||Makes the alert private to the alert creator.|
|App||Display the alert for all users of the app.|
|All apps||Display the alert for all users of this Splunk deployment.|
Using custom alert actions
Alert action permissions
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2106, 8.2.2107, 8.2.2105, 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release), 8.2.2202, 8.2.2203