Create custom alerts
The Splunk App for Unix and Linux comes with twelve alerts which you can configure in the Settings: Alerts dialog. If you want, you can add custom alerts by saving searches and adding specific parameters to make them also appear in the Settings: Alerts dialog. This topic shows you how to configure custom alerts and prepare them for use in the Splunk App for Unix and Linux's alert system.
Build and configure custom alerts
The alerts that appear in the Settings: Alerts window are saved searches with a special field added. To add additional alerts and have them appear here, perform the following steps:
- While in the context of the Splunk App for Unix and Linux, create and save a search with the desired parameters that comprise an alert. (You can access the search page by clicking Search on the navigation bar.)
Important: Your custom search must include language that splits its results by the
hostfield. For example:
stats(CPU) by host
- Save the search.
- Go into Splunk Settings.
- In Splunk version 5, choose Manager from the upper right on the navigation bar.
- In Splunk version 6, choose Settings.
- Choose Searches and reports
- Locate the search you just created and saved and click its name in the list. Splunk opens the configuration settings for the search.
- In the Schedule and Alert section, click the Schedule this search checkbox.
- Make sure that the Alert condition is set to Always.
- Enable summary indexing for the alert by clicking Enable under the Summary Indexing section.
- In the Add fields text boxes, add the following field:
marker = unix_aggregated_alerts
- Click Save to save the changes to the search.
When you next visit the Settings: Alerts dialog, you should see the custom alert in the list.
Troubleshoot the Splunk App for Unix and Linux
This documentation applies to the following versions of Splunk® App for Unix and Linux: 5.2.3, 5.2.4, 5.2.5