Couple of people experienced it in the past week -
When we make changes to the a Splunk alert, run it, and save it.
When we go back to the query, the changes are not saved and we have to redo it.
What can it be?
1: You are saving it inside of an app that is being controlled by a
Deployment Server and the
local directory inside of that app on the
DS has a
savedsearches.conf. If so the
DS will continuously overwrite your changes.
2: You are in a
Search Head Cluster and the admin of the
Deployer is pushing out apps and overwriting your stuff. This latter possibility is the less likely one because it means a human is doing this over and over, which is unlikely.