Alerting

Alert search string reverts to old search string after alert is modified

nsanzar_splunk
Splunk Employee
Splunk Employee
  • Splunk Version: 8.0.2007.1
  • Instance:  Search Head
  • App AIX or other apps

 

  • Problem:  After updating an alert's saved search, the saved search reverts after updating the alert's cron job or other settings.

 

  • Nitty Gritty:  This only occurs when the saved search is modified and saved in a different browser tab, and then, the alert is updated in the original tab where the alert is modified.  Confused, don't worry, I have an example below.

 

  • Example:  User modifies saved search and cron job of alert in "two different browser tabs":
    • User opens alert-1 in App in browser tab 1
    • User opens search in second tab (through right-click -> open in new tab)
    • User updates search, runs search and then saves search under alert-1 name
    • User closes search tab (tab 2) or leaves both tabs open
    • User goes back to tab 1 to update cron job of alert (or other configuration on alert)
    • User saves alert settings.
    • User wants to verify that alert saved search is correct by opening up second tab (right-click on open in search -> new tab)
    • User finds that search string has reverted to original search
Labels (2)
0 Karma

nsanzar_splunk
Splunk Employee
Splunk Employee
  • Solution:
    • Make any changes to alerts in Settings -> Searches, Reports and Alerts section.  In 8.0.2007.1, you can update search string in this section.
    • If you must make this change in the app context of AIX, update the search string and alert settings all in one tab (do not open a new tab).
    • If you need to open a new tab for the search: save the new search, close tab 2, refresh browser tab 1 and then update the alert settings as needed.  You will see that the new search string will stick this time.

 

  • This is a bug and SPL-195342 has been submitted to correct this issue.
0 Karma

psla
Explorer

What is the status of this bug? It still persists in Splunk 9.0.5 and I haven't seen a fix in the release notes for newer versions.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...