topic Re: Can you alter the Splunk search used for an alert? in Splunk Search

Can you alter the Splunk search used for an alert?

marnee — Thu, 18 Aug 2016 20:41:30 GMT

Can you alter the Splunk search used for an alert? I don't see any way to alter it.

I am being asked to choose a product. From the About box in our local Splunk website, it lists Cloud, so I am selecting that.

Re: Can you alter the Splunk search used for an alert?

dshpritz — Thu, 18 Aug 2016 22:07:33 GMT

In most cases, yes you can, as they are saved searches. The Splunk Cloud User Manual is a great place to start, and there is also the Alerting Manual.

Re: Can you alter the Splunk search used for an alert?

ChrisG — Thu, 18 Aug 2016 23:06:25 GMT

Sure! You are looking for Edit an alert search in the Alerting Manual.

Re: Can you alter the Splunk search used for an alert?

cstamilarasan — Fri, 17 Apr 2020 13:04:31 GMT

Is it possible to update the alert query without recreating the alert. When I edit the alert query it is not giving the option to "Save". It give the option to "Save As", that lead us to create a new alert.,Every time when I make the changes on alert query, it forced me to save as different query / different alert. Is there any way I can modify the existing query instead of creating different alert every time ?

Re: Can you alter the Splunk search used for an alert?

masonbanhammer — Thu, 23 Apr 2020 16:38:37 GMT

If you have permissions, view the alert, click the edit button, choose Open in Search. Make the changes to the query and execute the search. You should then be able to click save.,

Re: Can you alter the Splunk search used for an alert?

masonbanhammer — Thu, 23 Apr 2020 16:43:02 GMT

Yes, you just need to run the query after you make the edits, the save button should then be available

Re: Can you alter the Splunk search used for an alert?

marnee — Wed, 06 May 2020 19:07:51 GMT

Thanks for this clear answer on my very old question (when I was a newbie).

Splunk is awesome, but nothing is perfect. That way of altering the search query is so unintuitive that it still annoys me. Nobody I've worked with has ever been able to figure out how to edit a search query for an alert on their own.

A person shouldn't have to go to a manual for such a basic operation.

An improvement would be: Instead of "Open in Search", the text "Edit Search Query" would be much, much better. And then when it opens in Search, it should somehow look very different from normal search (e.g. different background color, make Save buttons much more prominent)

Maybe one day when I'm feeling ambitious, I'll figure out how and will send a suggestion to Splunk for that change, but what's the point? Most companies don't listen to such suggestions, no matter how good a company (and so many companies are forgetting about usability and about intuitive and efficient UIs these days).

Re: Can you alter the Splunk search used for an alert?

rogerdpack — Fri, 08 Apr 2022 18:21:56 GMT

That total worked. And wasn't intuitive...

Re: Can you alter the Splunk search used for an alert?

WillTheOnly — Mon, 23 May 2022 17:37:38 GMT

@cstamilarasan You have to run the query after you edit it in order for the "Save" option to show.

It took me a while to figure that out.