topic When creating ES rules I get this error - "Search could not be updated: Argument "schedule_priority" is not supported by this handler." in Splunk Enterprise Security

When creating ES rules I get this error - "Search could not be updated: Argument "schedule_priority" is not supported by this handler."

bscavotto — Fri, 19 Jan 2018 17:42:58 GMT

I cannot find any literature on it or an explanation. Does anybody recognize this and know how to remedy?

Re: When creating ES rules I get this error - "Search could not be updated: Argument "schedule_priority" is not supported by this handler."

qbolbk59 — Tue, 26 Mar 2019 09:24:13 GMT

i am also getting the same error while creating a correlation search. Infact i get the same error when i try to create an alert in Splunk enterprise suite.
I think it's because of some sort of issue with the Scheduler. Just thinking out loud.

Re: When creating ES rules I get this error - "Search could not be updated: Argument "schedule_priority" is not supported by this handler."

lakshman239 — Tue, 26 Mar 2019 09:59:40 GMT

Whats your version of Splunk Core and ES?

Re: When creating ES rules I get this error - "Search could not be updated: Argument "schedule_priority" is not supported by this handler."

qbolbk59 — Tue, 26 Mar 2019 10:42:43 GMT

@lakshman239 I am running Splunk 7.2.1 with ES 5.2

Re: When creating ES rules I get this error - "Search could not be updated: Argument "schedule_priority" is not supported by this handler."

lakshman239 — Tue, 26 Mar 2019 12:10:14 GMT

ok, I am on 7.0.3 with ES 5.1.1 still and don't see any issue. This comes from schedule_priority setting in the savedsearches.conf . Could you try the following?

As admin user, can you try to edit (any dummy changes will do) any of the correlation searches that comes with ES? Are you seeing any errors when saving it?
do the above step 1 as non-admin user and are you seeing any diff behaviour?

This could indicate any issues with permissions/roles/capabilities to user.