topic Re: Is there a way to convert a scheduled report to an alert? (6.6.3) in Alerting

Is there a way to convert a scheduled report to an alert? (6.6.3)

twinspop — Mon, 28 Aug 2017 23:30:25 GMT

If a saved search is initially created as an alert, I get the option to "Edit alert". But if it's saved as a report, that option is not there and Edit Schedule does not offer the same options. I can't see any way to modify a report to have a conditional alert. I can schedule a report. And I can assign an email action to a report. But the GUI offers no way to assign a conditional action to a report. In order to get the conditional verbiage, I have to recreate the saved search explicitly as an alert. Or edit config files directly.

The new paradigm of reports vs alerts is not ... handy. Maybe I'm just not used to it.

v6.6.3, Linux

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

gcusello — Tue, 29 Aug 2017 07:08:45 GMT

Hi twinspop,
reports and alerts are different expressions of a search (eventually the same).
If the problem is to have a condition in the execution of a scheduled report, you can put this condition in your search: e.g. I have a report that lists all the non updated devices, but sometimes there is an error in the ingestion of the device situation, so in this case in my list there are thousands of not updated devices.
So I inserted in my search the condition | where count<1000 (usually there are few not updated devices) so I'm sure that it doesn't send a wrong report when there is a not updated situation, but only a correct one when situation is updated.
I hope I was clear.
Bye.
Giuseppe

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

twinspop — Tue, 29 Aug 2017 13:08:11 GMT

This is no longer accurate with Splunk 6.6.x.

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

gcusello — Tue, 29 Aug 2017 13:16:46 GMT

You have to find a different condition to verify your report execution.
Bye.
Giuseppe

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

twinspop — Tue, 29 Aug 2017 13:26:21 GMT

No, the interface is totally different. If you have 6.6.x you will see.

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

gcusello — Tue, 29 Aug 2017 14:56:17 GMT

Sorry but I explained badly:
you have to insert a condition in your search, something like | where count<1000 but relevant for your search.
Bye.
Giuseppe

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

twinspop — Tue, 29 Aug 2017 14:59:39 GMT

If you're not running 6.6.x you don't understand. For REPORTS there is only an option to send an email when the report runs. Period. There is no qualifier for number of results returned, custom eval, or anything else. Even with "where count>0" i will still get email on every run regardless of results. In 6.6 REPORTS are inherently different from ALERTS and I don't see anyway to convert one way or the other.

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

gcusello — Tue, 29 Aug 2017 15:03:53 GMT

You have to insert the additional condition in the search used in report, in other words:
if original search is

index=my_index | stats dc(host) AS count

you have to modify search (not report conditions)

index=my_index | stats dc(host) AS count | where count<1000

Bye.
Giuseppe

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

twinspop — Tue, 29 Aug 2017 15:05:51 GMT

Doesn't work in 6.6

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

twinspop — Tue, 29 Aug 2017 15:07:17 GMT

I downvoted this post because not answering the question. extra search commands are not leading to the subject at hand: how to change a report to an alert in 6.6

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

gcusello — Tue, 29 Aug 2017 15:11:13 GMT

You cannotconvert a report in an alert, this is a running workaround that I used.
Bye.
Giuseppe

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

kmaron — Tue, 05 Sep 2017 18:41:55 GMT

I ran into the same thing and as far as I can tell the only option is to recreate it as an alert which you already know about.

I did find this in my searching though I'm not sure if it helps any: https://answers.splunk.com/answers/187134/report-vs-alert-whats-the-difference.html

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

matt_park — Tue, 29 Sep 2020 16:16:51 GMT

I think I found the answer. In your Searches, reports, and alerts, go to Edit > Advanced Edit >

change "alert_type" from "always" to "number of events".

set "alert_comparator" to "greater than"
set "alert_threshold" to "0"

Save and schedule your search (if you haven't already). At this point, you should be able to click Edit and see "Edit Alert" and the saved search will show up under the Alerts filter at the top instead of Reports

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

twinspop — Wed, 18 Oct 2017 23:51:21 GMT

Nice. I mean, this still seems to be a bug to me, but nice workaround. :thumbs-up:

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

pj — Thu, 08 Feb 2018 18:33:37 GMT

Agree - super annoying

To add to the above solution. The search must also be scheduled for the above to work.

Re: Is there a way to convert a scheduled report to an alert? (6.6.3)

bhavya49 — Wed, 27 Nov 2019 06:55:16 GMT

This solution doesn't seem to be working now. After Edit, I don't see any Advanced Edit.