Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
This documentation does not apply to the most recent version of Splunk® App for Unix and Linux (Legacy). For documentation on the most recent version, go to the latest release.

Create custom alerts

The Splunk App for Unix and Linux comes with twelve alerts which you can configure in the Settings: Alerts dialog. If you want, you can add custom alerts by saving searches and adding specific parameters to make them also appear in the Settings: Alerts dialog. This topic shows you how to configure custom alerts and prepare them for use in the Splunk App for Unix and Linux's alert system.

Build and configure custom alerts

The alerts that appear in the Settings: Alerts window are saved searches with a special field added. To add additional alerts and have them appear here, perform the following steps:

1. While in the context of the Splunk App for Unix and Linux, create and save a search with the desired parameters that comprise an alert. (You can access the search page by clicking Search on the navigation bar.)

Important: Your custom search must include language that splits its results by the host field. For example:

stats(CPU) by host

2. Save the search.

3. Go into Splunk Settings.

  • In Splunk version 5, choose Manager from the upper right on the navigation bar.
  • In Splunk version 6, choose Settings.

4. Choose Searches and reports

5. Locate the search you just created and saved and click its name in the list.

Splunk opens the configuration settings for the search.

6. In the Schedule and Alert section, click the Schedule this search checkbox.

7. Make sure that the Alert condition is set to Always.

8. Enable summary indexing for the alert by clicking Enable under the Summary Indexing section.

9. In the Add fields text boxes, add the following field:

marker = unix_aggregated_alerts

10. Click Save to save the changes to the search.

When you next visit the Settings: Alerts dialog, you should see the custom alert in the list.

Last modified on 16 November, 2016
Troubleshoot the Splunk App for Unix and Linux   Saved searches

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.2.0, 5.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters