Splunk® Light

Getting Started Manual

Download manual as PDF

Download topic as PDF

About alerting in Splunk Light

An alert is an action that triggers based on specified results of the search. When creating an alert, you specify a condition that triggers the alert and configure actions such as sending an email or running a script.

An alert executes its action only when it meets specified conditions. An alert to notify of failed log-ins each hour does not send an email if there are no failed log-ins for a specific hour. To avoid sending out alerts too frequently, you can specify a throttle condition.

Splunk Light lets you configure or enable different types of alerts, including schedule, real time, and platform alerts.

Scheduled alert

Use a scheduled alert to notify when a scheduled search returns results that meet a specific condition. A scheduled alert is useful when immediate response to the alert is not a priority.

Scheduled alert examples include:

  • Trigger an alert that runs daily, notifying when the number of items sold that day is less than 500.
  • Trigger an alert that runs hourly, notifying when the number of 404 errors in any hour exceeds 100.

Real Time alert

Per result alerting

Use a per result alert to notify when a real-time search returns a result that matches a condition. You can specify a throttle condition so the alert triggers only once for a specified time period.

Per result examples include the following:

  • Trigger an alert for every failed login attempt.
  • Trigger an alert when a "file system full" error occurs on any host. You can specify field values that suppresses hosts for which you do not want an alert notification.
  • Trigger an alert when a CPU on a host sustains 100% utilization for an extended period of time.

Rolling-window alert

Use a rolling window alert to monitor results of a real-time search within a specified time interval, such as every 10 minutes or every four hours.

Rolling-window alert examples include:

  • Trigger an alert when there are three consecutive failed logins for a user within a 10 minute period. You can set a throttle condition to suppress an alert to once an hour from any user.
  • Trigger an alert when a host is unable to complete an hourly file transfer to another host. Set a throttle condition so the alert fires only once every hour for any specific host.

Platform alerts

Platform alerts are preconfigured alerts that you can optionally enable. After you enable a platform alert, the user interface displays a notification if the alarm triggers.

Enable platform alerts by selecting System > Platform alerts. You can optionally edit the platform alerts to set or modify an alert action, such as sending an email. View a list of triggered platform alerts in the Triggered alerts or Resource usage dashboards.

Platform alerts are disabled by default.

Platform alerts included with Splunk Light

Platform alerts that are included with Splunk Light are listed in the table. To start monitoring your deployment with platform alerts, enable the individual alerts.

Alert name Description For more information
DMC Alert - Expired and Soon To Expire Licenses Triggers when you have a license that is expired or will expire within two weeks. Click Licensing in the sidebar menu.
DMC Alert - Missing forwarders Triggers when one or more forwarders are missing. Click Forwarder management in the sidebar menu.
DMC Alert - Near-Critical Disk Usage Triggers when you use 80% of your disk capacity. Click the Resource Usage dashboard in the sidebar menu.
DMC Alert - Total License Usage Near Daily Quota Triggers when you use 90% of your total daily license quota. Click Licensing in the sidebar menu.

Use throttling to limit alerts

An alert can trigger frequently if the search returns many similar results within the scheduled period of the search. Throttling reduces the frequency that an alert notifies you.

To throttle alerts, you can configure the time period in which to suppress results and the field values that the search returns.

For example, assume that when a particular system error occurs, it typically occurs 20 or more times each minute. You can configure throttling so that when one alert of this type triggers, it suppresses all successive alerts of the same type for the next 10 minutes. After each successive 10 minute period passes, the alert can trigger again.

PREVIOUS
Check search and scheduler activity in Splunk Light
  NEXT
Use dashboards in Splunk Light

This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters