I saw this yesterday and it was caused by placement of parenthesis around search terms. For ex. index=blah1 source=blah2 ("Term1">=20) ("Term2"="blah3")
Once the parenthesis were removed the search worked properly.
This error message is very confusing and misleading. I have no idea why this would cause the engine to complain about an email action. We hadn't even gotten to the point of trying to create an alert. :-S
As a side note, I do wish that some error messages were more descriptive and offered more guidance on what could be done to remediate the issue. Or perhaps even a link to search for the error term in your default search engine? 🙂
I'm going to go out on a limb and bet this is a search that was created a long time ago when your Splunk search head was on a different version than it is today. I bet that is a depreciated option and is no longer supported in your current version, meaning the syntax has changed. If you have access to the file system, open up the savedsearches.conf the search lives in and locate the configuration stanza. The stanza name will simply be the name of the saved search. If that value is present in the stanza, remove and refresh the savedsearches endpoint.
thanks for your reply.
this is the new search. Got this error when i try to save it.
Also i found that the same search was able to save with another person credential.
Seems like authentication/access issue. Am i correct?