Detector for alert storm / detector on detector

MichaelRTR · ‎09-08-2025

Hi there,

I have a use-case whereby I want to trigger an alert/detector when there is a spike of triggered detectors in my org. The idea is to catch an outage and alert an appropriate team.

I want to monitor and alert when there is a spike in triggered detectors.
Is there a suitable way to achieve this?
I tested but I do not see any suitable metrics to use.
This seems like a simple use-case but there does not appear to be a simple solution.

As an example, I would like to trigger a detector when >5 P1 detectors have triggered in a 5 min period (just an example).

Thanks in advance.

bishida · ‎09-20-2025

I would recommend sending the alerts to the Splunk platform (Enterprise or Cloud) and performing event correlation there. This is a core use case for IT Service Intelligence. But if you wanted to just address this one example, you could do it pretty easily with a one-off search/alert in the platform.

Detector for alert storm / detector on detector

Splunk Observability Cloud

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Detector for alert storm / detector on detector

Splunk Observability Cloud

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability