Anatomy of an alert

There are some very fundamental parts of an alert that are generic to any alerting system. They are translatable to Nagios, SCOM, Icinga, or take your pick. In Splunk, however, there are some unique components of an alert that give us the ability to enhance what the alert itself does, and mostly it has to do with SPL(Splunk Processing Language). Once we have gotten the results we want, there are some fun things we can do with an alert.

Search query results

This is the result set of any search that you determine viable for an alert. It is often easiest to use a stats command to set an alert, as it gives an integer that can easily be filtered by a where statement. The amount of history searched is also very important in the setup ...

Get Splunk Best Practices now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Splunk Best Practices by Travis Marlette

Anatomy of an alert

Search query results

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly