Module 13

Creating Scheduled
Reports and Alerts

1 |
Why Scheduled Reports?
Scheduled Reports are useful for:
• Monthly, weekly, daily executive/managerial roll up reports
• Dashboard performance
• Automatically sending reports via email

2 |
Creating a Scheduled Report
1. Create your
search
2. From the Save
As menu, select
Report

3 |
Creating a Scheduled Report (cont.)
3. Enter Title
4. Enter Description
5. Set Time Range Picker to No
6. Click Save

Note
Time Range Picker cannot be
used with scheduled reports.

4 |
Creating a Scheduled Report (cont.)
• After the report is created,
click Schedule
• If you inadvertently set Time
Range Picker to Yes on
previous screen, a warning
displays and time picker is
disabled

Note
Depending on the permissions
granted to you by your Splunk
administrator, you may be able to
set permissions to share your
scheduled report.

5 |
Creating a Scheduled Report – Define Schedule
• Schedule Report – select
this checkbox
• Schedule – select the
frequency to run the
report
– Run every hour
– Run every day
– Run every week
– Run every month
– Run on Cron Schedule

6 |
Creating a Scheduled Report – Select Time Range
• Time Range – By default,
search time range used
–Click the Time Range
button to change the time
range
–You can select a time range
from Presets, Relative, or
Advanced
–Typically, the time range is
relative to the Schedule Note
Users with admin privileges can
also select a Schedule Priority of
Default, Higher, or Highest.

7 |
Creating a Scheduled Report – Schedule Window
• Schedule Window – this setting
determines a time frame to run the
report
–If there are other reports scheduled to
run at the same time, you can provide
a window in which to run the report
–This setting provides efficiency when
scheduling several reports to run
• After you configure the report
schedule, click Next

8 |
Creating a Scheduled Report – Add Actions
• Log Event – creates an indexed,
searchable log event
• Output results to lookup – sends results
of search to CSV lookup file
• Output results to telemetry endpoint –
sends usage metrics back to Splunk (if
your company has opted-in to program)
• Run a script – runs a previously created
script
• Send email – sends an email with results
to specified recipients
• Webhook – sends an HTTP POST
request to specified URL

9 |
Creating a Scheduled Report – Send Email
1. Enter addresses in the To
field, separated by commas
2. Set the priority
3. Edit or keep the default
subject
The $name$ variable includes
the name of the report
4. If desired, include other
options, such as an inline
table of results
5. Define the email text type
6. Click Save

10 |
Managing Reports – Edit Permissions

Note
The proper permissions from your
Splunk administrator are required
to edit the permissions on a
scheduled report.

11 |
Managing Reports – Edit Permissions (cont.)
• Run As determines which user profile is used at run time
– Owner – all data accessible by the owner appears in the report
– User – only data allowed to be accessed by
the user role appears

12 |
Managing Reports – Embed
• To access the report results from a webpage, click Edit > Embed
– Before a report can be embedded, it must be scheduled

13 |
What Are Alerts?
• Splunk alerts are based on searches that can run either:
– On a regular scheduled interval
– In real-time

• Alerts are triggered when the results of the search meet a specific
condition that you define
• Based on your needs, alerts can:
– Create an entry in Triggered Alerts
– Log an event
– Output results to a lookup file
– Send emails
– Use a webhook
– Perform a custom action

14 |
Creating an Alert
• Run a search
– Inthis example, you’re searching for
server errors—any HTTP request status
that begins with 50 over the last 5
minutes
• Select Save As > Alert
• Give the alert a Title and Description

Note
This is the underlying search on
which all the subsequent Alert
slides are based.

15 |
Setting Alert Permissions
• Private – only you can access,
edit, and view triggered alerts
• Shared in app
– All users of the app can view
triggered alerts
– By default, everyone has read
access and power has write
access to the alert

Note
The proper permissions from your
Splunk administrator are required
to set the permissions on an alert.

16 |
Choosing Real-time or Scheduled Alert Type
Choose an Alert type to determine
how Splunk searches for events that
match your alert
• Scheduled alerts
– Search runs at a defined interval
– Evaluates trigger condition when
the search completes
• Real-time alerts
– Search runs constantly in the
background
– Evaluates trigger conditions within
a window of time based on the
conditions you define

17 |
Setting the Alert Type – Scheduled
• From the frequency menu,
choose to run the search every
hour, day, week, month, or on a
cron schedule
– For the scheduled interval
options, select the time the
search will run
– For cron schedule, define the
cron expression

18 |
Setting Trigger Conditions – Scheduled
• For the cron schedule, choose a
Time Range and enter a Cron
Expression
• Set trigger conditions for
scheduled alerts (same steps
outlined for real-time alerts)
– Thealert examines the complete
results set after the search is run

Scenario
In this example, a scheduled
search will run every 5 minutes.

19 |
Setting Trigger Conditions – Real-time
• Trigger conditions allow you to capture a
larger data set, then apply more stringent
criteria to results before executing the alert
• You can set alerts to trigger:
– Per-Result – triggers when a result is
returned
– Number of Results – define how many
results are returned before the alert triggers
– Number of Hosts – define how many
unique hosts are returned before the alert
triggers
– Number of Sources – define how many
unique sources are returned before the alert
triggers
– Custom – define custom conditions using
the search language
20 |
Setting Trigger Conditions – Real-time (cont.)
• In this example, the trigger
condition is set to Number of
Results
• In this Real-time alert example, if
the number of results is greater
than 2 within 1 minute, the alert
triggers
Note
The Number of Results setting
does not determine how many
actions associated with the alert
are triggered. Rather, it sets a
threshold to determine whether
the alert is triggered in the first
place.

21 |
Alert Actions – Trigger Conditions: Once
• Once executes actions one time for
all matching events within the
scheduled time and conditions
– Example: If your alert is scheduled
to run every 5 minutes, and 40
results are returned, the alert only
triggers and executes actions one
time
• Select the Throttle option to
suppress the actions for results
within a specified time range

22 |
Alert Actions – Trigger Conditions: For Each Result
• For each result – executes the alert actions
once for each result that matches the
conditions
• Select the Throttle option to suppress the
actions for results that have the same field
value within a specified time range
– Certain situations can cause a flood of alerts,
when really you only want one
• In this example:
– The search runs every 5 minutes
– 70 events are returned in a 5 minute window—
50 events with status=500, 20 with status=503
– Since For each result is selected, two actions
trigger—one for each status

23 |
Add Trigger Actions
• Add to Triggered Alerts – adds the alert
to the Activity > Triggered alerts list
• All actions available for scheduled
reports are also available for alerts:
– Log Event
– Output results to lookup
– Output results to telemetry endpoint
– Run a script
– Send email
– Webhook

24 |
Alert Actions – Add to Triggered Alerts
Choose an appropriate severity for the alert

25 |
Alert Actions – Log Event
If you have administrator privileges, you
can use a log event action
• Event – Enter the information that will
be written to the new log event
• Source – Source of the new log event
(by default, the alert name)
• Sourcetype – Sourcetype to which the
new log event will be written
• Host – Host field value of the new log
event (by default, IP address of the
host of the alert)
• Index – Destination index for the new Note

log event (default value is main) For a complete list of available tokens, go to:
http://docs.splunk.com/Documentation/Splunk/late
st/Alert/EmailNotificationTokens

26 |
Alert Actions – Log Event (cont.)

27 |
Alert Actions – Send Email
Customize the content of email alerts
• To - enter the email address(es) of
the alert recipients
• Priority – select the priority
• Subject – edit the subject of the
email (the $name$ token is the title
of the alert)
• Message – provide the message
body of the email
• Include – select the format of the
alert
• Type – select the format of the text
message

28 |
Viewing Triggered Alerts
• If you elected to list in triggered alerts, you can view the results by
accessing Activity > Triggered Alerts
• Click View results to see the matching events that triggered the alert
• Click Edit search to modify the alert definition

29 |
Editing Alerts
1. From the search bar, click Alerts
2. Select the alert and click Edit

30 |
Editing Alert Permissions
• Edit permissions
– Owner – only you can access, edit, and view triggered alerts
– App – users of the app can access, edit, and view triggered
alerts

31 |
Other Resources
• Splunk App Repository
https://splunkbase.splunk.com/
• Splunk Answers
http://answers.splunk.com/
• Splunk Blogs
http://blogs.splunk.com/
• Splunk Wiki
http://wiki.splunk.com/
• Splunk Docs
http://docs.splunk.com/Documentation/Splunk
• Splunk User Groups
http://usergroups.splunk.com/

32 |