System insights alerts
How to set an alert for system insights
Create system insights alerts to take specific action under specific circumstances. For example, you might want to be alerted if a specific playbook has failed to run.
Use the Splunk alerts system to create system insights. This article describes one example for an alert you might create.
To create a system insights alert, follow these steps:
-
Within any panel in the System Insights dashboard, select the magnifying glass icon (
) to view the query information for that panel in the Splunk Search app.
-
The search query for the corresponding dashboard panel appears in the Search field. Use that query as is or modify it for a more specific search.
For example, you might want to use the existing search for the All failures dashboard panel, so you are notified whenever a playbook fails.
Alternatively, modify the existing search query or enter a new search query for a different alert, for example, if a specific playbook has a failed run. For this new example, enter following query, using the
phantom_system_insightstable:CODEindex=phantom_system_insights hostname=<your hostname> | search system_insights_object_type=playbook_run status=failed pb_run_playbook_id=<your playbook id> -
From the Save As menu, select Alert.
-
In the Save As Alert window, at a minimum, specify the following:
- Title: Specify the title that will appear in the Alerts page
- Trigger actions: Specify what you want to happen when this search produces results. For example, you might choose to send an email or run a script.
-
Optionally specify additional settings, like alert type and trigger conditions.
-
Select Save, then optionally view the alert.
-
Select the Alerts menu to view and edit your alerts.
See also
For details on Splunk alerts, see Getting started with alerts for Splunk.
For details on Splunk search, see Get started with Search.