You can configure alerts to trigger actions when certain events occur. When you set up an alert, search results trigger an alert action if they match the alert conditions. You can configure an alert to send an email notification, SNMP trap, and log a message in the syslog. Note that alerts are executed based on update frequencies for each corresponding search. For example, DHCP Lease History alerts are executed every 10 minutes, and Device Trend alerts are executed every 30 minutes at the 17th and 47th minutes of each hour (one minute after the search updates). For information about search indexes and update time intervals, see Reporting Indexes and Update Time Intervals. You can also throttle an alert if you want to change its frequency. For more information, refer to the Splunk documentation.
You can do the following in the Alerts page:
- Create scheduled alerts, as described in Creating Scheduled Alerts.
- Edit permissions, as described in Editing Permissions.
- Edit alert type, trigger condition, and alert actions, as described in Editing Alerts.
- Clone an alert, as described in Cloning Alerts.
Creating Scheduled Alerts
You can schedule an alert to notify when a scheduled report returns results that meet a specific condition. The appliances sends an alert when it encounters the trigger condition.
- From the Reporting tab, select the Alerts tab -> select an alert and click Open in Search.
- From the Save As drop-down list, click Alert.
- In the Save As Alert dialog box, complete the following:
- Specify the title and description.
- Alert Type: Select Scheduled
- Time Range: Specify the time range. For example you can select Run Every Day.
- Schedule At: Specify the time.
- Trigger Condition: Specify trigger conditions. For more information, refer to the Splunk documentation.
- Trigger Actions: Click this to configure alert actions. You can select the following:
- Send SNMP Trap: Select this to enable SNMP traps. For information about how to trigger SNMP traps for reporting event types, see Defining Thresholds for Traps.
- Send email: Select this to send alert notification through email. You can specify email address in the To text box.
- Send to Syslog. Select this to log a message in the syslog. If you configure this option with an alert, the message goes to the syslog on the reporting member or indexer.
- File Transfer Action: Select this to upload the search results to an FTP or SCP or TFTP server configured in the Set up page. For information, see Reporting (Index) Storage Space.
4. Click Save.
You can edit alert type, trigger condition, and alert actions, as follows:
- From the Reporting tab, select the Alerts tab -> select an alert.
- From the Edit drop-down list, select Edit Alert Type and Trigger Condition to edit alert settings. In the Edit Alert Type and Trigger Condition dialog box, make the required changes. For information, see Creating Scheduled Alerts.
From the Edit drop-down list, select Edit Actions to edit alert actions. In the Edit Actions dialog box, make the required changes. For information, see Creating Scheduled Alerts .
- Click Save.
- From the Reporting tab, select the Alerts tab.
- Select an alert you want to clone, click Edit -> Clone.
- Enter a new title, ID, and description. Click Clone Alert.
- Optionally, you can click Open in Search to open the cloned alert in the Search page.
- Click View, and do one of the following in the Your report has been created dialog box:
- Click View to view your report on the Report page.
- Click Continue Editing to edit.
- Click Add to Dashboard to add new report to the dashboard panel.
You can also complete the following settings in the Your report has been created dialog box:
- Permissions: Click this to edit permissions for your report, as described in Editing Permissions.
- Schedule: Click this to schedule a report, as described in Scheduling Reports.
- Acceleration: For information, refer to the Splunk documentation.
Configuring Email Notification Settings
You can enable the appliance to send email messages to specified recipients when the alert is triggered. You can configure email settings for alerts, scheduled reports, and scheduled PDF delivery.
To configure email properties for alerts and PDF delivery:
- From the Reporting tab -> Settings tab -> click Server settings.
- Click Email settings.
- Specify the mail host. The default is local host.
- Optionally, you can specify user name and password.
- Specify Email Format.
- In the Specify PDF Report Settings, specify the paper size, paper orientation, and also the path to logo image.
- Click Save.
Note: You can configure email addresses when scheduling dashboard PDFs, scheduling reports, and creating alerts.
This page has no comments.