Creating alerts from searches

Let's continue with our example. We want to take our original search query, schedule it, and then set a triggered response.

Any saved search can also be run on a schedule. One use for scheduled searches is firing alerts. Let's get started with our example. Go to the Reports page (shown in the previous screenshot) and click on Open in Search for our report (errors affecting mary). This opens our saved report not as a report but as a search query (it also runs the search). From there, we can click on Save As and choose Alert:

Using the Save As Alert window (shown in the next screenshot), we can fill in the appropriate details for our alert:

• Title: I kept the original search title (errors affecting mary) but added the word alert
• Description: I kept this the same, but in reality, we'd want to add more of a description
• Alert Type: I selected Scheduled, since I want this alert search to be run every day
• Time Range: I selected the preset Run every day
• Schedule At: I selected the preset 12:00
• Trigger condition: I selected the preset Number of Results since I'd like to trigger an event if my search finds any errors generated by our favorite user, mary
• Trigger if number of results: I selected the preset Is Greater than and filled in zero (this means that I am interested in any errors that are found by my search)

After filling in the above, I can click on Next; we can see that we have more information to provide:

This time, the window is pided into the following areas: Enable Actions, Action Options, and Sharing.

Enable actions

• List in Triggered Alerts: You can check this if you want to display your triggered alert in the Splunk Alert Manager which lists details of triggered alerts for 24 hours or a specified duration
• Send Email: You can configure your alert to send an e-mail to specified users when the alert gets triggered
• Run a Script: You can have Splunk run a script when your alert gets triggered

Action options

• When triggered, execute actions: Once or For each result. For example, should the alert trigger for each error that mary receives or once for all errors within a time range?
• Throttle?: You can use throttling (usually based upon time and/or event count) to reduce the frequency at which an alert triggers since an alert can trigger frequently based on similar results that the search returns or the schedule to run the alert.

Sharing

Permissions—Private or Shared in App. Should this alert be shared with other users?

For our example, I've elected to trigger an e-mail to mary (<marys@slunker.com>) with a link to both the alert and the alert results within the e-mail so that she can review her errors. In addition (as shown in the next screenshot), I have decided to send an e-mail Once (for all events/errors within the time range, not for each one) and leave the alert Private.

After hitting Save, our alert is ready to go: