Ch. 3 Scheduling Reports and Alerts

  • Scheduled Report - a report that runs on a scheduled interval

  • Schedule Window - Allows for a possible delay of a report, when capacity is projected to be limited during timing of scheduled report. Of course you can only use a scheduled window, when the report schedule time is not super critical or be ran

    • Schedule Window Auto - Allows Splunk the best time to run a report, so if you do 5pm every Monday it might be at 5:30pm if Splunk determines it to be the best time.

  • Scheduled Report Actions - after a report is ran, you have the option to trigger an action

  • Scheduled Report Action Types - send email, run a script, etc.

  • Managing Scheduled Reports - overview of scheduled reports, which allows you to edit the search sting and time report will run as well as do things like clone and view results

    • Power Role - Users with power role are able to view report and share with others

  • Schedule Priority - allows you to determine when concurrent reports will run

  • Enable Embedding in Scheduled Report - allows users outside of Splunk to view results of a scheduled report, however the view will be empty until the report is ran. No changed can be made to report after embedding is enabled.

  • Alerts - Splunk will alert you when a search result meets a defined condition, and you can then trigger an action

    • Default Alert Permissions - Everyone has read access, and power users have write access

  • Alert Types

    • Scheduled Alert Type - allows you to set a schedule and time range for the search to be run

    • Real-Time Alert Type - will run the search constantly in the background, and when alert conditions are met, an action is triggered

      • More system intensive but ideal for when you want the action to trigger as soon as possible

      • Ex. Alert - send email if error occurs 2 or more times in 60 minutes

  • Alert Actions

    • log event - send to index for archive

    • lookup - append or replace data in a table

    • send email

    • Output results to telemetry endpoint - create field I think

    • Webhook - send alert to third part website like a chatroom or create a ticket in a support app like ServiceNow

    • Custom Action - Build your own action

  • Managing Actions - overview of scheduled and Realtime alerts where you can edit the alert setting and disable alert

    • Alerts are private by default