Docs » Built-in alert conditions

Built-in alert conditions đź”—

When you create rules in detectors to specify conditions that trigger alerts, Splunk Infrastructure Monitoring provides a number of built-in conditions that detect common problem scenarios. Many of these alert conditions provide more powerful ways of monitoring signals than the standard practice of comparing a signal to a static threshold.

The following table summarizes the available built-in alert conditions. To learn more about each condition, select the name of the condition.

Condition

Description

Example

Static Threshold

Alert when a signal crosses a static threshold

Availability over the last day is below 99.9.

Heartbeat Check

Alert when a signal has stopped reporting for some time

Host-linux-001 has not reported for 15 minutes.

Resource Running Out

Detect when a signal is projected to reach a specified minimum or maximum value

disk_space_available is projected to decrease to zero within 24 hours. cpu.utilization is projected to reach 95 within 2 hours.

Outlier Detection

Alert when the signal from one data source differs from similar data sources

The number of logins in the last 10 minutes for this instance is 3 standard deviations lower than other instances in the same AWS availability zone.

Sudden Change

Alert when a signal is different from its normal behavior (based on mean of preceding window or percentile of preceding window)

All the values for cpu.utilization received in the last 15 minutes are at least 3 standard deviations higher than the mean of the preceding hour. All the values for latency received in the last 10 minutes are greater than 99% of the values of the preceding 1 hour.

Historical Anomaly

Alert when a signal differs by a specified amount when compared to similar periods in the past

The average number of logins in the last 2 hours is 3 standard deviations higher than the average for this same 2 hours last week.

Custom threshold

Alert when a signal crosses another signal, or when you want to specify compound conditions using AND and OR operators.

The value for cache_misses is above cache_hits OR the value for cache_misses_percent is above 10.