Create an alert

You can create an alert from the most searches you run in Splunk Web. In this chapter we will show you how to create an alert that will be triggered if the number of search results is greater than 100.

First, we need to run our search:

splunk search for an alert

Next, go to Save As > Alert:

save alert

The Save As Alert dialog window opens. We need to define the following parameters:

  • Title – the name of the alert.
  • Description – the alert description.
  • Permissions – select whether the alert will be private or shared with all other users of the app.
  • Alert type – select whether you wish to schedule your alert to run when scheduled or in real-time.
  • Trigger alert when – set the alarm trigger condition. In our example, we will trigger an alert when the number of search results during 300 days exceeds 100.
  • Trigger – select whether you would like to trigger the alarm once or for each result.
  • Throttle – select the throttle period during which alerts will not be triggered.
  • Triggered actions – select the action that will be performed if the alarm is triggered. We’ve chosen to add an event to the Triggered Alerts page.

save as alert

And that’s it! If the number of search results during 300 days exceeds 100, an event will be displayed in the Triggered Alerts page.

Geek University 2021