You can configure alerts to trigger actions when certain events occur. When you set up an alert, search results trigger an alert action if they match the alert conditions. You can configure an alert to send an email notification, SNMP trap, and log a message in the syslog. Note that alerts are executed based on update frequencies for each corresponding search. For example, DHCP Lease History alerts are executed every 10 minutes, and Device Trend alerts are executed every 30 minutes at the 17th and 47th minutes of each hour (one minute after the search updates). For information about search indexes and update time intervals, see Reporting Indexes and Update Time Intervals. You can also throttle an alert if you want to change its frequency. For more information, refer to the Splunk documentation.
You can do the following in the Alerts page:
Creating Scheduled Alerts
You can schedule an alert to notify when a scheduled report returns results that meet a specific condition. The appliance sends an alert when it encounters the trigger condition.
- From the Reporting tab -> Alerts tab, select an alert, and then click Open in Search.
- From the Save As drop-down list, click Alert.
- In the Save As Alert dialog box, complete the following:
- Specify the title and description.
- Alert Type: Select Scheduled
- Time Range: Specify the time range. For example, you can select Run Every Day.
- Schedule At: Specify the time.
- Trigger Condition: Specify trigger conditions. For more information, refer to the Splunk documentation.
- Trigger Actions: Click this to configure alert actions. You can select the following:
- Send SNMP Trap: Select this to enable SNMP traps. For information about how to trigger SNMP traps for reporting event types, see Defining Thresholds for Traps.
- Send email: Select this to send alert notification through email. You can specify email address in the To text box.
- Send to Syslog. Select this to log a message in the syslog. If you configure this option with an alert, the message goes to the syslog on the reporting member or indexer.
- File Transfer Action: Select this to upload the search results to an FTP or SCP or TFTP server configured on the Set up page. For information, see Reporting (Index) Storage Space.
4. Click Save.
You can edit the alert type, trigger condition, and alert actions, as follows:
- From the Reporting tab -> Alerts tab, select an alert.
- From the Edit drop-down list, choose Edit Alert to edit the alert settings. In the Edit Alert dialog box, make the required changes. For information, see Creating Scheduled Alerts.
- Click Save.
- From the Reporting tab, select the Alerts tab, select an alert that you want to clone.
- Click Edit -> Clone.
- Enter a title and a description. Click Clone Alert.
Configuring Email Notification Settings
You can enable the appliance to send email messages to specified recipients when the alert is triggered. You can configure email settings for alerts, scheduled reports, and scheduled PDF delivery.
To configure email properties for alerts and PDF delivery:
- From the Reporting tab -> Settings tab, click Server settings.
- Click Email settings.
- Specify the mail host. The default is local host.
- Optionally, you can specify user name and password.
- Specify Email Format.
- In the Specify PDF Report Settings, specify the paper size, paper orientation, and also the path to logo image.
- Click Save.
You can configure email addresses when scheduling dashboard PDFs, scheduling reports, and creating alerts.