Splunk® Light (Legacy)

Search and Reporting Examples

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Notify when server load reaches a threshold using Splunk Light

Task

Configure Splunk Light to notify you when a server's load reaches a predefined threshold, such as 80%.

Part 1: Run the search

The following search retrieves events with load averages above 80% and calculates the maximum value for each host.

sourcetype=top load_avg>80 | stats max(load_avg) by host

Part 2: Configure an alert

Save the search as an alert and configure the alert condition and alert actions as follows.

  • Alert condition: Alert if the search returns at least one result.
  • Alert actions: Email and set subject to "Server load above 80%."
  • Suppress: 1 hour.

1. After you run the search, click Save as and select Alert.

SL alertex1.png


2. In the Save As Alert dialog box, enter a Title and (Optional) Description.

3. Next to Alert Type, select Real Time.

4. Next to Trigger condition, select Per-Result.

5. Click Next.

6. Under Enable Actions, select Send Email.

SL alertex1.2.png


6a. Next to To, enter the email recipients.

6b. (Optional) Change the Priority level for this alert.

6c. Next to Subject, enter "Server load above 80%."

6d. (Optional) Enter a Message to include with the email.

6e. Next to Include, select Inline and choose Raw to include the event that triggered the alert in the email.

7. Under Action Options, select Throttle.

SL alertex1.3.png


7a. Next to Suppress triggering for, enter 1 and select hour(s).

8. Click Save.

Last modified on 11 August, 2016
PREVIOUS
Report on failed login attempts using Splunk Light
  NEXT
Identify spikes in data and notify using Splunk Light

This documentation applies to the following versions of Splunk® Light (Legacy): 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters