Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the "advanced edit" option disappear in search management?

kearaspoor
SplunkTrust
SplunkTrust
‎08-23-2016 07:51 AM

In the search/report/alert management window under the Actions column there's "Run, Clone, Delete", "Move" depending on permissions and "View recent" if it's scheduled.

I've also seen an "Advanced Edit" option that, when it's there, allows one to edit a GUI version of the associated savedsearches.conf stanza for the search. For some searches I've even made changes to those settings, when appropriate. Likewise, I greatly prefer to use this feature since we just implemented search clustering and it's my understanding that editing savedsearches.conf via CLI can cause replication problems.

What I'm confused about is why this option isn't always present. I'm suspecting it's related to search cluster synchronization but I've simultaneously looked across all nodes (captain and members) and if it goes missing, it's gone everywhere. Performing a manual re-sync doesn't seem to force it to appear.

So... what causes the "Advanced Edit" option to appear/disappear? and, when it does disappear, how do I get it back?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎08-23-2016 08:25 AM

Click on Settings -> Show All settings. Now load back the manager page for your alert. You will now see the Advanced Edit option.

Caution - If you had to go to "Show All settings" to make the changes then these changes you make are not replicated and you might end up doing the same change on all the search heads the same way.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kearaspoor
SplunkTrust
SplunkTrust
‎08-23-2016 08:41 AM

The comment by gpradeepkumarreddy ended up resolving the issue but I can't accept it as an answer because it was posted as a comment. 😞

Clicking on the "Show All settings" did indeed cause the "Advanced Edit" to become visible again, on each node that I went through that extra step.

I'll also note that I've confirmed that the changes I made within the Advanced Edit window so far has replicated across all nodes. But the warning that they should be verified is greatly appreciated! I'm still trying to figure out all the "will replicate/won't replicate" minutia since clustering is still a new feature for us! Thanks for the reminder and the great suggestion!

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎08-23-2016 08:45 AM

I've converted my comment to answer. You can accept it now. Glad it helped 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎08-23-2016 08:25 AM

Click on Settings -> Show All settings. Now load back the manager page for your alert. You will now see the Advanced Edit option.

Caution - If you had to go to "Show All settings" to make the changes then these changes you make are not replicated and you might end up doing the same change on all the search heads the same way.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...