Splunk | Configure alerts

Perform the following steps to configure alerts for your Splunk instance.

Important: This document includes references to a third-party product, Splunk. The user interface and usage of third-party products are subject to change without notice. For the latest published information about Splunk, see https://docs.splunk.com/Documentation.

To configure alerts:

  1. Enter the following query into the Splunk search field. Change the values between square brackets [] to the appropriate values for you instance.

    Copy 
    index=[companyindex] Primary.methodName="[Monitor Name]" 
    "Primary.testStatus"=Fail | rename Primary.description as "Device Description", 
    Primary.reportiumReport as "Primary Report", 
    Primary.location as "Primary Device Location", 
    Primary.methods." [Monitor Name]".Steps{}.step as "Primary Transactions", 
    Primary.methods." [Monitor Name]".Steps{}.stepStatus as "Primary Status", 
    primary.methodName as Monitor | strcat "[Customer Interactive Cloud Device URL]" 
    Primary.device DeviceLink1 | table "Device Description" "Primary Device Location" "Primary Transactions" "Primary Status" 
    DeviceLink1 "Primary Report"

  2. On the right side of the search bar, click the down arrow to set the time period to the last 60 minutes.

  3. Click the spy glass search button to submit the search.

  4. Save the result as a report with a meaningful name, as follows:

    1. Click Save As.

    2. From the drop-down menu, choose Report.

    3. Save the same result as an Alert from the same-drop down menu.

    4. Complete fields in the Alert dialog as suggested below.

      • Title - [Name of Alert]
      • Description – Optional
      • Permissions – Shared in App
      • Alert Type – Real Time
      • Trigger alert when – Number of Results
      • Is greater than – [choose a number of results as needed]
      • In – Choose a time period to limit the results to

      • Trigger – Choose either a single alert or once for each occurrence.

      • Throttle – Check to suppress subsequent alerts for the throttle period.
        a. Suppress results containing field value - A field value can be added to filter alerts to be suppressed.
        b. Suppress triggering for - Define a time period for suppressing alerts

  5. Trigger actions:

    1. Click Add Actions.

    2. Choose Send email.

    3. Configure email with suggested settings below:

      1. To [recipient emails]

      2. Email Priority – as needed

      3. Subject – can be left as default or edited

      4. Message – Can be left as default. Additional fields can be added by using the token in this format “$result.[field]$”

      5. Include desired elements as suggested below

      6. For Table in email with links to reports, check Inline Table

      7. Type – HTML & Plain Text

      8. Click Save

Test alert conditions by either waiting for or creating a failure. An email should be sent to recipients containing a table as was shown in the search results.