Alerts can be used in Splunk when you want to be notified/alerted of any discrepancies in your system. For example, sending an automated email to the Splunk Administrator when more than three failed login attempts are encountered in a twenty-four hour time period.

Different options available while setting up alerts in Splunk:
  • You can create a webhook to write to hipchat or GitHub. You could write an email to a group of machines with all your subject, priorities, and body of the message
  • Add results, .csv or pdf or inline attachments within the body of the message to make sure that the recipient fully understands the nature of the alert, and follows best practices to subdue the alert.
  • Create tickets and push alerts based on certain conditions like a specific MAC or IP address. For example, during a virus outbreak, you don't want to alert all systems because it will lead to many ticket generations causing an overload
BY Best Interview Question ON 24 Feb 2020