Use the Alerts panel

CMC provides preconfigured platform alerts for missing forwarders and skipped searches that you can enable. You can also create custom platform alerts using the global Searches, Reports, and Alerts page accessible through the CMC Alerts functionality.

When a CMC platform alert is triggered, the following actions happen for Splunk Cloud Platform administrators:

A message displays in Messages, which is available in the top Splunk Cloud bar in Splunk Web.
A message alert displays on registered mobile devices that are equipped with a Splunk Mobile app.

Splunk Cloud Platform administrators can also review alerts on the Triggered Alerts page of the CMC app and the Alerts count column on the Searches, Reports, and Alerts page.

You must be on at least app version 2.1.1 to use the CMC platform alerts functionality. To check the app version, select Support & Services > About. The CURRENT APPLICATION area at the bottom of the About page shows the app's version and build numbers.

Review triggered alerts

To view triggered alerts:

In the CMC navigation bar, select Alerts > Triggered Alerts.
The page displays the name of any triggered alert and a timestamp of when it was triggered.

When a preconfigured alert is triggered, CMC displays an alert with a 3 severity level on the Triggered Alerts page, which indicates medium severity.

Starting with CMC 2.6.0, preconfigured alerts use the prefix CMC. Alerts with the prefix SIM are retained for backwards compatibility.

The table describes the situations that trigger a preconfigured alert and the CMC dashboards to review to take further action.

Preconfigured alert	Description	Dashboards
CMC Alerts - New Data in Index Specified as "lastchanceindex"	Runs at 12 minutes past midnight every day and is triggered if there is new data in the index specified as the `lastchanceindex` in the last 24 hours.	See the following: Manage indexes in the Splunk Cloud Platform Admin Config Service (ACS) API endpoint reference lastChanceIndex definition in the Splunk Enterprise Admin Manual
CMC Alerts - Storage Capacity Exceeds 80%	Runs at 4:16 AM every day and is triggered if the searchable storage usage percent value for your deployment exceeds 80%.	See the table in Review the Searchable Storage (DDAS) dashboard, especially the Searchable Storage Usage Percent panel description.
CMC Alerts - SVC Utilization Exceeds 80% for 3 Hours	Runs every hour at 12 minutes past the hour and is triggered if the SVC utilization value for your deployment exceeds 80% over a 3-hour timespan.	See the table in Review the Workload dashboard, especially the SVC Usage panel description.
SIM Alerts - Missing Forwarders	Runs every 15 minutes and is triggered if there are any forwarders with a status of Missing.	See the Forwarders: Deployment dashboard, especially the Missing Forwarder Alerts and Status and Configuration - As of <current_timestamp> panels.
SIM Alerts - Skipped Searches	Runs every 60 minutes and is triggered if the number of skipped searches exceeds 20%.	See the Skipped Scheduled Searches dashboard.

Review preconfigured alerts

In the CMC navigation bar, select Alerts > Configured Alerts. The table displays the preconfigured CMC alerts and any custom alerts that you or another Splunk Cloud Platform administrator configured for your organization's deployment. Last Updated shows when an alert was edited.

Select the Enabled toggle to enable or disable an alert.

Select the Mobile Alert toggle to enable or disable an alert on mobile devices. Enabling an alert automatically enables it for display for Splunk Cloud Platform administrators on Splunk Web and registered mobile devices equipped with a Splunk Mobile app. For more information on downloading and registering a Splunk Mobile app, see the following:

Select Edit to access the Searches, Reports, and Alerts page. You can view detailed information about an alert and perform specific actions, such as reviewing the alert definition and running the alert.

Do not edit the search field for preconfigured alerts.

Manage CMC Alerts on the Searches, Reports, and Alerts page

To manage CMC platform alerts on the Searches, Reports, and Alerts page, follow these steps:

Access this page through one of the following methods:

Select the Edit link adjacent to an alert on the Alerts > Configured Alerts page in the CMC app.
In the Splunk Cloud bar at the top of the page, select Settings. In the KNOWLEDGE section, select Searches, reports, and alerts.

Set Type to Alerts.
Set App to Cloud Monitoring Console (splunk_instance_monitoring).
Set Owner to All or Nobody. The CMC and SIM alerts for CMC appear.
In the Actions column, select Edit > Enable.

Create custom alerts

You can also create custom platform alerts using the Searches, Reports, and Alerts page. You can access this page through one of the two methods noted in step one of Manage CMC Alerts on the Searches, reports, and alerts page. Select the New Alert button to define an alert and the corresponding action to be performed when the alert is triggered. For example, you can send an email to the email account in a Splunk Cloud Platform administrator's profile, or an alert to their registered mobile device equipped with a Splunk Mobile app.

For more information, see the following:

Set up alert actions in the Alerting Manual
The global Alert Actions page. To access this page, in the Splunk Cloud bar at the top of the page, select Settings. In the KNOWLEDGE section, select Alert actions.

Splunk Cloud Platform Admin Manual

Related Answers

Use the Alerts panel

Review triggered alerts

Review preconfigured alerts

Manage CMC Alerts on the Searches, Reports, and Alerts page

Create custom alerts

Comments

Use the Alerts panel