About alerting in Splunk Light
An alert is an action that triggers based on specified results of the search. When creating an alert, you specify a condition that triggers the alert and configure actions such as sending an email or running a script.
An alert executes its action only when it meets specified conditions. An alert to notify of failed log-ins each hour does not send an email if there are no failed log-ins for a specific hour. To avoid sending out alerts too frequently, you can specify a throttle condition.
Splunk Light lets you configure or enable different types of alerts, including schedule, real time, and platform alerts.
Use a scheduled alert to notify when a scheduled search returns results that meet a specific condition. A scheduled alert is useful when immediate response to the alert is not a priority.
Scheduled alert examples include:
- Trigger an alert that runs daily, notifying when the number of items sold that day is less than 500.
- Trigger an alert that runs hourly, notifying when the number of 404 errors in any hour exceeds 100.
Real Time alert
Per result alerting
Use a per result alert to notify when a real-time search returns a result that matches a condition. You can specify a throttle condition so the alert triggers only once for a specified time period.
Per result examples include the following:
- Trigger an alert for every failed login attempt.
- Trigger an alert when a "file system full" error occurs on any host. You can specify field values that suppresses hosts for which you do not want an alert notification.
- Trigger an alert when a CPU on a host sustains 100% utilization for an extended period of time.
Use a rolling window alert to monitor results of a real-time search within a specified time interval, such as every 10 minutes or every four hours.
Rolling-window alert examples include:
- Trigger an alert when there are three consecutive failed logins for a user within a 10 minute period. You can set a throttle condition to suppress an alert to once an hour from any user.
- Trigger an alert when a host is unable to complete an hourly file transfer to another host. Set a throttle condition so the alert fires only once every hour for any specific host.
Platform alerts are preconfigured alerts that you can optionally enable. After you enable a platform alert, the user interface displays a notification if the alarm triggers.
Enable platform alerts by selecting System > Platform alerts. You can optionally edit the platform alerts to set or modify an alert action, such as sending an email. View a list of triggered platform alerts in the Triggered alerts or Resource usage dashboards.
Platform alerts are disabled by default.
Platform alerts included with Splunk Light
Platform alerts that are included with Splunk Light are listed in the table. To start monitoring your deployment with platform alerts, enable the individual alerts.
|Alert name||Description||For more information|
|DMC Alert - Expired and Soon To Expire Licenses||Triggers when you have a license that is expired or will expire within two weeks.||Click Licensing in the sidebar menu.|
|DMC Alert - Missing forwarders||Triggers when one or more forwarders are missing.||Click Forwarder management in the sidebar menu.|
|DMC Alert - Near-Critical Disk Usage||Triggers when you use 80% of your disk capacity.||Click the Resource Usage dashboard in the sidebar menu.|
|DMC Alert - Total License Usage Near Daily Quota||Triggers when you use 90% of your total daily license quota.||Click Licensing in the sidebar menu.|
Use throttling to limit alerts
An alert can trigger frequently if the search returns many similar results within the scheduled period of the search. Throttling reduces the frequency that an alert notifies you.
To throttle alerts, you can configure the time period in which to suppress results and the field values that the search returns.
For example, assume that when a particular system error occurs, it typically occurs 20 or more times each minute. You can configure throttling so that when one alert of this type triggers, it suppresses all successive alerts of the same type for the next 10 minutes. After each successive 10 minute period passes, the alert can trigger again.
Check search and scheduler activity in Splunk Light
Use dashboards in Splunk Light
This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0