Alerting

Altering alert search string in Splunk 6

Explorer

I can't figure out how to change the search performed for an alert. In Splunk 5 when you edited the alert you had a text box with the search string that you could just change, but in Splunk 6 I can't find that functionality any more.

How do you do that in Splunk 6?

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

From the list of alerts at http://splunk_host:8000/en-US/app/search/alerts you press "Open in Search", do your changes, run to confirm them to work, and press the green "Save" button - same steps as changing a report (saved search).

View solution in original post

Splunk Employee
Splunk Employee

Alerts are categorized as "Searches & Reports" with special settings.

So you go to Searches & Reports: Settings> Searches and Reports

And you select the report with the same name as your alert.

You should see the familiar edit box.

The doc walk through is here:

Update and Expand Alert Functionality

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Splunk Employee
Splunk Employee

Not that Martin needs any more Karma points... but you did see his first so he gets it. 🙂
You can go to the doc, and scroll to the bottom. There is a place where you can send your comments to the documentation team. They are very appreciative of it and will take your comments to heart. Glad you got your answer!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Explorer

Why can't I mark two answers as both accepted, both this and the one above from martin_mueller? They're both spot-on and correct.

I had read that several times, but completely missed the first wall of text paragraph. Who manages the documentation, how do I suggest perhaps putting those steps into a bullet list so that it is apparent they're "steps to take" and not just a pile of text to read?

And, frankly, why would they suggest such a convoluted route when you can "open the alert" then just change it and save it?

Anyway, no complaints about this ANSWER, though! Thanks!

0 Karma

SplunkTrust
SplunkTrust

From the list of alerts at http://splunk_host:8000/en-US/app/search/alerts you press "Open in Search", do your changes, run to confirm them to work, and press the green "Save" button - same steps as changing a report (saved search).

View solution in original post

SplunkTrust
SplunkTrust

That's just how Splunk Answers - and many more portals like it - work, only one answer can be marked as "accepted"... that doesn't mean other answers are wrong of course.

0 Karma

Path Finder

Wow, this seems fairly counter-intuitive since the Save button is grayed out until you run the search.

0 Karma

SplunkTrust
SplunkTrust

I'd say that's a Good Thing - at least you know you didn't do any syntax errors after running it once.

0 Karma

Explorer

Wow. Yes. It's green instead of the color of the "Save As" button and in the wrong place by half an inch, which is what I'll totally blame not seeing that button on regardless of how much it's simply my not seeing it. 🙂

Why can't I mark two answers as both accepted, both this and the one below from rsennett_splunk? They're both spot-on and correct.

Splunk Employee
Splunk Employee

Yes. Both my answer and Martin's answer will get what you want. Mine is the interface you are used to. Martin's is actually more useful because you can actually run your new search changes and test them before you save. However... you MUST run your new search in order to get access to the green SAVE button. If you know what you want to edit but you don't need or want to test use the one below. if you don't mind hitting the run button, use this one. - Rosie

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!