Solved: Is there a way to convert a scheduled report to an...

twinspop · ‎08-28-2017

If a saved search is initially created as an alert, I get the option to "Edit alert". But if it's saved as a report, that option is not there and Edit Schedule does not offer the same options. I can't see any way to modify a report to have a conditional alert. I can schedule a report. And I can assign an email action to a report. But the GUI offers no way to assign a conditional action to a report. In order to get the conditional verbiage, I have to recreate the saved search explicitly as an alert. Or edit config files directly.

The new paradigm of reports vs alerts is not ... handy. Maybe I'm just not used to it.

v6.6.3, Linux

matt_park · ‎10-18-2017

I think I found the answer. In your Searches, reports, and alerts, go to Edit > Advanced Edit >

change "alert_type" from "always" to "number of events".

set "alert_comparator" to "greater than"
set "alert_threshold" to "0"

Save and schedule your search (if you haven't already). At this point, you should be able to click Edit and see "Edit Alert" and the saved search will show up under the Alerts filter at the top instead of Reports

View solution in original post

matt_park · ‎10-18-2017

I think I found the answer. In your Searches, reports, and alerts, go to Edit > Advanced Edit >

change "alert_type" from "always" to "number of events".

set "alert_comparator" to "greater than"
set "alert_threshold" to "0"

Save and schedule your search (if you haven't already). At this point, you should be able to click Edit and see "Edit Alert" and the saved search will show up under the Alerts filter at the top instead of Reports

twinspop · ‎10-18-2017

Nice. I mean, this still seems to be a bug to me, but nice workaround. :thumbs-up:

bhavya49 · ‎11-26-2019

This solution doesn't seem to be working now. After Edit, I don't see any Advanced Edit.

pj · ‎02-08-2018

Agree - super annoying

To add to the above solution. The search must also be scheduled for the above to work.

kmaron · ‎09-05-2017

I ran into the same thing and as far as I can tell the only option is to recreate it as an alert which you already know about.

I did find this in my searching though I'm not sure if it helps any: https://answers.splunk.com/answers/187134/report-vs-alert-whats-the-difference.html

gcusello · ‎08-29-2017

Hi twinspop,
reports and alerts are different expressions of a search (eventually the same).
If the problem is to have a condition in the execution of a scheduled report, you can put this condition in your search: e.g. I have a report that lists all the non updated devices, but sometimes there is an error in the ingestion of the device situation, so in this case in my list there are thousands of not updated devices.
So I inserted in my search the condition | where count<1000 (usually there are few not updated devices) so I'm sure that it doesn't send a wrong report when there is a not updated situation, but only a correct one when situation is updated.
I hope I was clear.
Bye.
Giuseppe

twinspop · ‎08-29-2017

I downvoted this post because not answering the question. extra search commands are not leading to the subject at hand: how to change a report to an alert in 6.6

gcusello · ‎08-29-2017

You cannotconvert a report in an alert, this is a running workaround that I used.
Bye.
Giuseppe

twinspop · ‎08-29-2017

This is no longer accurate with Splunk 6.6.x.

gcusello · ‎08-29-2017

You have to find a different condition to verify your report execution.
Bye.
Giuseppe

twinspop · ‎08-29-2017

No, the interface is totally different. If you have 6.6.x you will see.

gcusello · ‎08-29-2017

Sorry but I explained badly:
you have to insert a condition in your search, something like | where count<1000 but relevant for your search.
Bye.
Giuseppe

twinspop · ‎08-29-2017

If you're not running 6.6.x you don't understand. For REPORTS there is only an option to send an email when the report runs. Period. There is no qualifier for number of results returned, custom eval, or anything else. Even with "where count>0" i will still get email on every run regardless of results. In 6.6 REPORTS are inherently different from ALERTS and I don't see anyway to convert one way or the other.

gcusello · ‎08-29-2017

You have to insert the additional condition in the search used in report, in other words:
if original search is

index=my_index | stats dc(host) AS count

you have to modify search (not report conditions)

index=my_index | stats dc(host) AS count | where count<1000

Bye.
Giuseppe

twinspop · ‎08-29-2017

Doesn't work in 6.6

Is there a way to convert a scheduled report to an alert? (6.6.3)

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!