Create an alert using an SPL2 search

Save an SPL2 search as an alert that initializes actions such as email notifications when the search results meet the specified conditions.

An alert is a saved search that initializes one or more alert actions when the search returns results that meet specific conditions. For example, you can create an alert that sends an email notification to the Splunk platform administrator if the search results show that the volume of data being ingested from a data source is above an accepted threshold.

You can use alerts to monitor for and respond to specific events. Alerts are available on the Alerts page in the Search & Reporting app.

For complete information about alerts, see the following documentation:

Splunk Cloud Platform

See the Alerting Manual in the Splunk Cloud Platform documentation.

Splunk Enterprise

See the in Alerting Manual the Splunk Enterprise documentation.

The exact workflow for creating an alert from an SPL2 search varies depending on whether you are working with searches in the Search bar or the SPL2 module editor. For detailed instructions, see the following sections on this page:

Save a search as an alert from the Search bar

After running a search, you can save the saerch as an alert from the Search bar.

On the Search page of the Search & Reporting app, after running a search, you can use the Save As menu located above the Search bar to save your search as an alert.

This image shows the Search bar after a search has been run. The "Save As" menu is highlighted by a red box.
  1. On the Search page of the Search & Reporting app, set the language picker to SPL2. Then, enter an SPL2 search in the Search bar and select the Search icon (This image shows an icon with a magnifying glass.) to run it.

    For more information about navigating to and using the Search bar, see Search page overview for SPL2 and Run an SPL2 search in the Search bar.

  2. Select Save As, then Alert.
  3. Configure your report using the options in the Save As Alert dialog box:
    1. In the Title field, enter a unique name for the alert.
    2. (Optional) In the Description field, enter a description for the alert.
    3. Set the Permissions toggle switch to specify whether to keep the alert private or share it with other users in the Search & Reporting app.
    4. Set the Alert type toggle switch to specify whether the alert runs on a set schedule or runs continuously in real time.

      Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible.

      CAUTION: If you have a Splunk Enterprise high-availability deployment, use per-result triggering with caution. If a peer is not available, a real-time search does not warn that the search might be incomplete. To avoid this issue, use a scheduled alert.
    5. If you set the Alert type toggle switch to Scheduled, then you must configure the schedule. There are 2 options for scheduling:
      OptionNext steps for this option

      Select one of the available scheduling options and set a time.

      None.

      For further customization, select Run on Cron Schedule to use a time range and cron expression.

      1. Enter the Earliest and Latest values for the search time range. These values override the original search time range. To avoid overlaps or gaps, the execution schedule should match the search time range. For example, to run a search every 20 minutes the search time range should also be 20 minutes (-20m).

      2. Enter a cron expression to schedule the search. For information about cron expressions, see the following:
    6. (Optional) Change the Expires setting to specify the lifespan of triggered alert records.

      Triggered alerts appear on the Triggered Alerts page, which you can access by selecting Settings then Triggered Alerts from the Splunk bar.

    7. Configure the Trigger Conditions options to specify the conditions for triggering the alert.

      For example, you can configure the alert to trigger when the number of results returned by the search is greater than 500. If you are creating a real-time alert, you can configure it to trigger whenever the search returns a result, or to trigger based on a rolling time window.

    8. (Optional) If you want to prevent the alert from triggering too rapidly, you can select Throttle and then specify conditions for suppressing subsequent alert triggers.
    9. In the Trigger Actions area, select and configure one or more actions that occur when the alert triggers.
  4. Select Save.

The Search & Reporting app returns a message confirming that your alert has been successfully created, and displays options for next steps that you can take with your alert, such as editing the alert or changing the permissions associated with it.

To see a list of all your alerts, navigate to the Alerts page of the Search & Reporting app.

This image shows the navigation bar of the Search & Reporting app with the Alerts page highlighted.

Save a search as an alert from the SPL2 module editor

After you run a search, you can save the search as an alert from the SPL2 module editor.

The following instructions assume that you have already created an SPL2 module containing the search that you want to save as an alert. For detailed information on how to navigate to the SPL2 module editor and create a module, see SPL2 module editor overview and Create an SPL2 module.

In the SPL2 module editor, after writing a search, you can use the options in the Outline panel to export the search and then save it as an alert.

This image shows the SPL2 module editor after a search has been exported and the module has been saved. The options menu in the Outline panel is highlighted by a red box.
  1. Open your SPL2 module for editing in the SPL2 module editor.
  2. In the Outline panel, select the Options icon (This image shows an icon with 3 dots in a vertical orientation.) beside the name of the search that you want to save as a report, and then select Export.
  3. Select Save to save your changes to the module.
  4. In the Outline panel, select the Options icon (This image shows an icon with 3 dots in a vertical orientation.) beside the name of the search, and then select Use in alert.
  5. In the Alert title field, enter a unique name for the alert.
  6. (Optional) In the Description field, enter a description for the alert.
  7. On the Schedule & trigger conditions tab, do the following:
    1. Set the Alert type toggle switch to specify whether the alert runs on a set schedule or runs continuously in real time.

      Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible.

      CAUTION: If you have a Splunk Enterprise high-availability deployment, use per-result triggering with caution. If a peer is not available, a real-time search does not warn that the search might be incomplete. To avoid this issue, use a scheduled alert.
    2. If you set the Alert type toggle switch to Scheduled during the previous step, then you need to configure the schedule. There are two options for scheduling:
      OptionNext steps for this option

      Select one of the available scheduling options and set a time.

      None.

      For further customization, select Run on Cron Schedule to use a time range and cron expression.

      1. Enter the Earliest and Latest values for the search time range. These values override the original search time range. To avoid overlaps or gaps, the execution schedule should match the search time range. For example, to run a search every 20 minutes the search time range should also be 20 minutes (-20m).

      2. Enter a cron expression to schedule the search. For information about cron expressions, see the following:
    3. (Optional) Change the Expires after setting to specify the lifespan of triggered alert records.

      Triggered alerts appear on the Triggered Alerts page, which you can access by selecting Settings then Triggered Alerts from the Splunk bar.

    4. Configure the Trigger alert when and Trigger frequency options to specify the conditions for triggering the alert.

      For example, you can configure the alert to trigger when the number of results returned by the search is greater than 500. If you are creating a real-time alert, you can configure it to trigger whenever the search returns a result, or to trigger based on a rolling time window.

    5. (Optional) If you want to prevent the alert from triggering too rapidly, you can select Turn on throttle and then specify conditions for suppressing subsequent alert triggers.
  8. On the Trigger actions tab, select and configure one or more actions that occur when the alert triggers.
  9. Select Save.

The SPL2 module editor returns a message confirming that your alert has been successfully created, and displays options for next steps that you can take with your alert, such as editing the alert or changing the permissions associated with it.

To see a list of all your alerts, navigate to the Alerts page of the Search & Reporting app.

This image shows the navigation bar of the Search & Reporting app with the Alerts page highlighted.

See also

For more information about working with alerts:

Splunk Cloud Platform

See the Alerting Manual in the Splunk Cloud Platform documentation.

Splunk Enterprise

See the Alerting Manual in the Splunk Enterprise documentation.