Solved: Can you alter the Splunk search used for an alert?

marnee · ‎08-18-2016

Can you alter the Splunk search used for an alert? I don't see any way to alter it.

I am being asked to choose a product. From the About box in our local Splunk website, it lists Cloud, so I am selecting that.

masonbanhammer · ‎04-23-2020

If you have permissions, view the alert, click the edit button, choose Open in Search. Make the changes to the query and execute the search. You should then be able to click save.,

View solution in original post

masonbanhammer · ‎04-23-2020

If you have permissions, view the alert, click the edit button, choose Open in Search. Make the changes to the query and execute the search. You should then be able to click save.,

rogerdpack · ‎04-08-2022

That total worked. And wasn't intuitive...

marnee · ‎05-06-2020

Thanks for this clear answer on my very old question (when I was a newbie).

Splunk is awesome, but nothing is perfect. That way of altering the search query is so unintuitive that it still annoys me. Nobody I've worked with has ever been able to figure out how to edit a search query for an alert on their own.

A person shouldn't have to go to a manual for such a basic operation.

An improvement would be: Instead of "Open in Search", the text "Edit Search Query" would be much, much better. And then when it opens in Search, it should somehow look very different from normal search (e.g. different background color, make Save buttons much more prominent)

Maybe one day when I'm feeling ambitious, I'll figure out how and will send a suggestion to Splunk for that change, but what's the point? Most companies don't listen to such suggestions, no matter how good a company (and so many companies are forgetting about usability and about intuitive and efficient UIs these days).

cstamilarasan · ‎04-17-2020

Is it possible to update the alert query without recreating the alert. When I edit the alert query it is not giving the option to "Save". It give the option to "Save As", that lead us to create a new alert.,Every time when I make the changes on alert query, it forced me to save as different query / different alert. Is there any way I can modify the existing query instead of creating different alert every time ?

WillTheOnly · ‎05-23-2022

@cstamilarasan You have to run the query after you edit it in order for the "Save" option to show.

It took me a while to figure that out.

masonbanhammer · ‎04-23-2020

Yes, you just need to run the query after you make the edits, the save button should then be available

ChrisG · ‎08-18-2016

Sure! You are looking for Edit an alert search in the Alerting Manual.

dshpritz · ‎08-18-2016

In most cases, yes you can, as they are saved searches. The Splunk Cloud User Manual is a great place to start, and there is also the Alerting Manual.

Can you alter the Splunk search used for an alert?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...