Could anyone please suggest how to edit the alert title after the alert got saved
It's possible (but a bit of a kludge) to edit this directly in the configuration files. But the easiest way to do this is to clone the alert - giving the clone the name you want - and then delete the original alert. That's what I usually do.
You can either clone it, or edit savedsearches.conf
in the CLI. Those are your only options.
It's possible (but a bit of a kludge) to edit this directly in the configuration files. But the easiest way to do this is to clone the alert - giving the clone the name you want - and then delete the original alert. That's what I usually do.
I think the feature needs to be added in the next version of Splunk. Internally clone and delete.
Thanks..currently i am doing the same thing
@elliotproebstel while this could be easiest way to do it from the UI. Another approach would be to rename the alert
in the savedsearches.conf file and then refresh
or restart
splunk.
Don't you also need to edit the related metadata file? I'm often nervous that there's a thread from one conf file to another that I'm failing to keep in sync when I go that route.
No not required 🙂
Good to know, thanks! I'll try to remember that.
@niketnilay Are you sure about that?
If you rename a search in savedsearches.conf that have specific metadata in local.meta for example, there is no way the renamed search will inherit the same metadata.
Ok so while cloning gives an option to Clone the permissions however, this approach means local.meta file settings for the alert would also need to be copied or manually edit the permissions from front end.
Oh alright, so you were talking about cloning in the first place? Sorry i did not realise.
I would expect cloning to also clone the permissions.
However manual edit of the savedsearches.conf would require to change the name of the object in metadata stanza as well.
Actually @elliotproebstel 's answer is based on cloning. I was suggesting Manual Edit and like you pointed out the Alert will loose permission hence manual copying of local.meta will also be required.
Ahh, yes. That's what I thought. Sounds like we were just talking past each other accidentally. 🙂
So to conclude, you can either:
1. Clone the alert in the UI, giving it a new name in the process; or
2. Modify both the savedsearches.conf and local.meta files to reflect the new name