Alerts overview

In Splunk, an alert is a search that runs periodically with a condition evaluated on the search results. When the condition matches, an action is executed (e.g. an email is sent to the administrator or a script is run).

It is possible to configure a variety of alerting scenarios for both the real-time and historical searches. You can have your historical searches run automatically on regular schedules, and you can set up both types of searches so they send emails to the administrator when their results meet specific conditions. You can base these alerts on a wide range of threshold and trend-based scenarios, such as empty shopping carts, brute force firewall attacks, login errors, and server system errors.

There are three types of alerts in Splunk:

  • Scheduled alert – an alert based on a historical search that runs periodically in accordance with a set schedule. An example of this type of alert is triggering an alert when the number of 404 errors in any 2 hour interval exceeds 50.
  • Per-result alert – an alert based on a real-time search that runs over all time. An example of this type of alert is triggering an alert when a disk full error occurs a host.
  • Rolling-window alert – an alert based on real-time search that is set to run within a rolling time window that you define. An example of this type of alert is triggering an alert whenever there are five consecutive failed logins for a user within a 10-minute window.

 

Alerting can be throttled such that alerts do not continuously fire if similar conditions are met repeatedly.
Geek University 2022