Splunk Alerts: Using Gmail, Twitter, iOS, and Much More

With no programming required!

One of the great features about Splunk is its built in alerting functionality. You can configure Splunk alerts to do just about anything, from sending an SMS to integrating them with another app, like ServiceNow for example.

Most Splunk users will probably want to configure alerts via email at some point. If you don’t have your own mail server you can use web based mail services like Gmail to do this. In this post we’ll explore how you can set this up and some neat ways in which you can extend upon native Splunk alerts.

Prerequisites

• A basic understanding of Splunk
• Splunk installed and running (free download here)
• Some data being indexed into Splunk (to trigger alerts)
• Read access to your email server information

Step 1: Configure Email Server Settings in Splunk

Configuring Splunk to connect into the Gmail (and other web based email) servers is very simple.

In Splunk, navigate to: “Settings > System Settings > Email Alert Settings”.

In this example we’ll use Gmail, but you can also grab mail server information from web based email services, like Yahoo or Outlook to name but two. You’ll need to fill out 4 fields for your mail server to work with Splunk. For Gmail this will be as follows:

Mail host = smtp.gmail.com:587
Email security = TLS
Username = <YOUR_GMAIL_ADDRESS>
Password = <YOUR_GMAIL_PASSWORD>

You’re then given the option in Splunk to make your email alerts look pretty using the formatting options. For now we’ll keep it quick and use the defaults by hitting “Save”.

Step 2: Configure Alerts

Now all you need to do is create an alert, or edit an existing one, to set off your email trigger. To create an alert, first create a search with the criteria you want to be alerted on, then click: “Save As > Alert”.

Once you’ve named the alert, select the email recipient(s) by selecting “Send email”.

Step 3: Profit

Voilà, alerts delivered to your inbox.

As you can see the alert information is pretty basic in its default format. The important thing is that the alert has a link to jump straight into Splunk for a deeper look. You probably want to style your emails better than I have using Splunk’s native email formatting settings (Step 1).

Step 4: Taking Alerts to the Next Level

After integrating Splunk with Gmail you can start to connect your Splunk alerts to other services. By using apps like IFTTT (If This Then That) this can be done very quickly, and very simply.

For example, connect your Gmail and Twitter accounts using IFTTT so that when a Splunk email alert is received a Tweet is posted.

Another neat recipe I’ve played around with is triggering an iOS notification through IFTTT when a Splunk email alert is received. If you’re really keen you can also connect your phone number to place calls as alerts come in!

Or what about…

----------------------------------------------------
Thanks!
David Greenwood