Thank you @elliotproebstel and @damien_chillet. I'm a beginner with splunk, so please bare with me. The URL currently returned does not have the earliest or latest stated (e.g. http://splunkus.instance/app/search/@go?sid=scheduler__username__search__RMD5465ce29d801b0ccd_at_152...)

@elliotproebstel
Ok, so no problem appending | addinfo to the search. I'm trying to piece together the second point to pass the info_min_time and info_max_time to the alert. Do I append those variables to $results_link$? So something like this $results_link.info_min_time.info_max_time$ . ?

As I posted in a comment above, it seems like the correct solution is probably in modifying the TTL for the alert, but even then - you'll be specifying some period of time during which the search artifacts will continue to live, and after that, they will be gone. If you want a bit of a workaround that's not super clean but will give your alert an indefinite lifetime, you could pass the tokens: $result.info_min_time$ and $result.info_max_time$ into the alert body. Those will come through as epoch strings. As @damien_chillet mentioned above, this will also mean that your search results will all have four fields that they didn't have before we started all this: info_min_time, info_max_time, info_sid (the search ID assigned by Splunk), and info_search_time (the time, in epoch value, at which the search was run). To use the epoch strings to re-run the search, you can either add them directly into the SPL (earliest=1524052800 latest=1524140780, for example) or you can paste them into the "Advanced" section in the time picker dropdown.

Wait, is it a real-time search you are talking about?

@damien_chillet, no not a real time search. The alert is based on a Schedule to run every 5 mins.

Is the alert condition "Number of results > 0"?
If so the job results should be saved and clicking the link should display the results without having to run the job once more.

Yes, the alert condition is set to "Number of results > 0". The behaviour I'm seeing is - if the link is clicked just after the alert is fired (within 1 min say), the results are displayed in Splunk. However, if the link is clicked >= 5 minutes after the alert fired (assuming there hasn't been an exception found since), then the results returned in Splunk are empty as the Relative search is 5 minutes ago.

Let's try with an example.
The search runs at 13:45 for events between 13:40 and 13:45.
It finds 1 error event so an alert link is sent to your slack channel.

Whatever the time is when you click the link it should load the job which ran at 13:45 for events between 13:40 and 13:45.

The time range would change only if you re-run the job manually.

Valid example, but I only see the results in Splunk if the link is opened just after 13:45 it seems, so I must be missing something if the time when you click the link shouldn't matter. Any other thoughts? Perhaps there's some back end configuration overriding the $results_link$ parameters to re-run the job? Based on what @elliotproebstel was saying, the I need to pass 'info_min_time' and 'info_max_time' into the Alert.

Could you share the alert configuration settings such as expiration time?

I could be missing something, but I can't see how addinfo would help here, it would just add fields to your existing search, not change time range the alerts run on.

My thinking in using addinfo was based on experience with drilldowns where I was able to directly pass the info_min_time and info_max_time through a drilldown to dynamically create a new search running in the same time window. It was meant as a workaround to allow the user to re-run the same search at an arbitrary time in the future, as requested.

That said, I honestly can't get that approach to the finish line. I can pass those time values through an alert but can't seem to assemble a full search URL with the tokens available to an alert.

This post from 2016 seems to suggest the solution will lie in editing the TTL for the alert:
https://answers.splunk.com/answers/440040/saving-alert-artifacts-for-longer-periods-of-time.html

Unfortunately, at this moment, I can't seem to get any pages from Splunk Docs to load, so I can't provide any updated official guidance.

@damien_chillet, @elliotproebstel

So in the default alert_actions, email has a default of 86400, but there IS an alert_actions in local, but without a TTL. Then, in the default saved searches, there's a dispatch.ttl of "2p".

* If the integer is followed by the letter 'p' Splunk interprets the ttl as a multiple of the scheduled search's execution period (e.g. if the search is scheduled to run hourly and ttl is set to 2p the ttl of the artifacts will be set to 2 hours).

Considering the above 2p, if the alert is scheduled for every 5 min then maybe the TTL is 10 min?

The saved results will expire shortly, since the alert is only looking back over 5 mins. I think the expected lifetime of a search like that is twice the interval over which it runs.

Yea it is like that for jobs. But in case of a triggered alert it should be kept longer, i think expiration time is 24h by default for a triggered alert.