Reporting

Why does the "advanced edit" option disappear in search management?

kearaspoor
SplunkTrust
SplunkTrust

In the search/report/alert management window under the Actions column there's "Run, Clone, Delete", "Move" depending on permissions and "View recent" if it's scheduled.

I've also seen an "Advanced Edit" option that, when it's there, allows one to edit a GUI version of the associated savedsearches.conf stanza for the search. For some searches I've even made changes to those settings, when appropriate. Likewise, I greatly prefer to use this feature since we just implemented search clustering and it's my understanding that editing savedsearches.conf via CLI can cause replication problems.

What I'm confused about is why this option isn't always present. I'm suspecting it's related to search cluster synchronization but I've simultaneously looked across all nodes (captain and members) and if it goes missing, it's gone everywhere. Performing a manual re-sync doesn't seem to force it to appear.

So... what causes the "Advanced Edit" option to appear/disappear? and, when it does disappear, how do I get it back?

0 Karma
1 Solution

pradeepkumarg
Influencer

Click on Settings -> Show All settings. Now load back the manager page for your alert. You will now see the Advanced Edit option.

Caution - If you had to go to "Show All settings" to make the changes then these changes you make are not replicated and you might end up doing the same change on all the search heads the same way.

View solution in original post

0 Karma

kearaspoor
SplunkTrust
SplunkTrust

The comment by gpradeepkumarreddy ended up resolving the issue but I can't accept it as an answer because it was posted as a comment. 😞

Clicking on the "Show All settings" did indeed cause the "Advanced Edit" to become visible again, on each node that I went through that extra step.

I'll also note that I've confirmed that the changes I made within the Advanced Edit window so far has replicated across all nodes. But the warning that they should be verified is greatly appreciated! I'm still trying to figure out all the "will replicate/won't replicate" minutia since clustering is still a new feature for us! Thanks for the reminder and the great suggestion!

0 Karma

pradeepkumarg
Influencer

I've converted my comment to answer. You can accept it now. Glad it helped 🙂

0 Karma

pradeepkumarg
Influencer

Click on Settings -> Show All settings. Now load back the manager page for your alert. You will now see the Advanced Edit option.

Caution - If you had to go to "Show All settings" to make the changes then these changes you make are not replicated and you might end up doing the same change on all the search heads the same way.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...