Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

How alerting works

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

How alerting works

Alerts are searches you've configured to run on a schedule and send you their results. Use alerts to notify you of changes in your data, network infrastructure, file system or other devices you're monitoring. Alerts can be sent via email or RSS, or trigger a shell script. You can turn any saved search into an alert.

An alert is comprised of:

  • a schedule for performing the search
  • conditions for triggering an alert
  • actions to perform when the triggering conditions are met

Enable alerts

Set up an alert at the time you create a saved search, or enable an alert on any existing saved search you have permission to edit. Configure alerts via:

Specify overall email settings for alerts

To specify the mail host, email format, subject, sender, and whether or not the results of the alert should be included inline:

  • In Splunk Web, click Manager > Email alert settings and specify your choices.
  • Click Save.

All alerts will now use these settings.

Scripted alerts

Alerts can also trigger shell scripts. When you configure an alert, specify a script you've written. You can use this feature to send alerts to other applications. Learn more about configuring scripted alerts.

You can use scripted alerts to send syslog events, or SNMP traps.

Customize alerts

Use the alert_actions.conf file to customize alert settings. For example, change email configuration (mail server, subject line, etc). Learn more about customizing alert options.

Considerations

When configuring alerts, keep the following in mind:

  • Too many alerts/saved searches running at once may slow down your system -- depending on the hardware, 20-30 alerts running at once should be OK. If the searches your alerts are based on are complex, you should make the interval longer and spread the searches out more.
  • Set a time frame for alerts that makes sense -- if the search takes longer than 4-5 minutes to run, don't set it to run every five minutes.
  • You must have a mail server running on the LAN that the Splunk server can connect to. Splunk does not authenticate against the mail server.
  • Read more about best practices for alert configuration on the Splunk Community Wiki, here.
Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/Admin/howdoesalertingworkinSplunk"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.