Splunk: Introduction to Real Time Data Analysis – Setting Alerts

Splunk really shows its power in the realm of real time analysis of unstructed data. A professional implementation of Splunk involves some sort of machine produced data stream being fed into Splunk. This could be web clicks, social media feeds, sensor readings from mechanical devices, log files, etc.

In our example we are going to be working with computer log files I pulled from a server.

Download Data File:  event

Log into Splunk and select Add Data from the home screen


Select upload


Select File


Select the event.csv file I provided


Select Next


Select Next (since we are on a local machine, the default Input settings will do fine)


Finally, hit Submit


Now we have the full log file loaded, let’s try filtering the data load down a little.

Put error* in the search bar. (* is a wild card in Splunk)

Now only Errors are showing up in our data.


Now try the following in the search bar

error* terminal*

Now my log files are filtered down to TerminalServices Errors only.


Notice the top bar graph. It shows an abnormal increase in these particular errors in October.


Setting Alerts

This seems like there has been an abnormal increase in these particular errors. Wouldn’t it be nice to know if these errors were starting to fire off again.

Splunk lets us set Alerts to do just that. Above the bar graph, you will find a drop down menu Save As – click on it and then select Alert


Give the Alert a name.

I don’t want to run this on a schedule. Instead I clicked Real-time

I set the Trigger Conditions to go off when more than 50 of these errors appear.


Under Add Trigger Actions, I select Add to Triggered Alerts


Select your Severity


Now the Alert is saved


If you select Alerts in the top menu, you can see the newly saved alert too.






Leave a Reply