In the previous articles, we discussed about how to include the library to forward crashlog from iOS and Android mobile apps into Splunk Enterprise, install a Splunk app to aggregate the forwarded logs from mobile devices and then perform some simple analytics with the indexed data. If you have been following closely the write-ups and Splunk-ing the valuable data from iOS and Android mobile apps, you might be interested to know how to setup an alerting mechanism in the event of a crash.
We are going to discuss in particular how to configure realtime alerts via email with PDF attachment using Splunk Enterprise. It takes very little time (timed myself – 2 minutes at least; pro Splunkers out there, you might take even less time 
) to enable realtime alert and the steps are follow:
- CONFIGURE EMAIL SETTINGS
- Go to Manager » System Settings » Email System Settings
- Provide the values for Mail Host, Username and Password
- Don’t forget to Enable SSL
- A very simple search command is used in this example sourcetype=”ios_crash_log” with Real-time of 1 minute window
- Click Create and select Alert
- Provide a name for the alert. In this example it is Realtime iOS Crash Alert
- Schedule the alert as Trigger in real-time whenever a result matches
- Click Next » button
- Check to Send email
- Provide the email address(es) of the recipient(s)
- Check to attach results as PDF
- Check to show triggered alerts in Alerts manager
- Click Next » button
- Select Share as read-only to all users of current app (if you want to share the search result to all users)
- Click Finish » button
- Congratulations! You have successfully created a real-time email alert with PDF attachment
- Click OK button to conclude the configuration
- Now that you have successfully configured realtime alert with Splunk, you may now check your email client for the alert
- In this example, the email is sent from mobile.dev.acct@gmail.com (which was configured in Step 1)
- You will notice that the subject of the email is Splunk Alert: Realtime iOS Crash Alert (this was configured in Step 4 where $name$ is replaced with the name of the alert)
- Voila! A PDF attachment of the realtime search result
Hurray … you can now setup realtime alert with Splunk! This is A.W.E.S.O.M.E
Also, If you have been thinking about signing up to attend .conf2013, think no more, because (copied directly from http://conf.splunk.com) …
The 4th Annual Splunk Worldwide Users’ Conference is the best way to deepen your practical knowledge of Splunk, learn best practices and check out new solutions, apps and add-ons. Connect with hundreds of your peers, see how others apply Splunk technology to real-world projects and become more involved in the Splunk community. Together, we’ll find ways for our data to show us new approaches, opportunities, and innovations. The conference features three days of breakout sessions, plus two pre-conference days for Splunk University–aka Splunk hands-on training classes.