Reporting

Why does the "advanced edit" option disappear in search management?

kearaspoor
SplunkTrust
SplunkTrust

In the search/report/alert management window under the Actions column there's "Run, Clone, Delete", "Move" depending on permissions and "View recent" if it's scheduled.

I've also seen an "Advanced Edit" option that, when it's there, allows one to edit a GUI version of the associated savedsearches.conf stanza for the search. For some searches I've even made changes to those settings, when appropriate. Likewise, I greatly prefer to use this feature since we just implemented search clustering and it's my understanding that editing savedsearches.conf via CLI can cause replication problems.

What I'm confused about is why this option isn't always present. I'm suspecting it's related to search cluster synchronization but I've simultaneously looked across all nodes (captain and members) and if it goes missing, it's gone everywhere. Performing a manual re-sync doesn't seem to force it to appear.

So... what causes the "Advanced Edit" option to appear/disappear? and, when it does disappear, how do I get it back?

0 Karma
1 Solution

pradeepkumarg
Influencer

Click on Settings -> Show All settings. Now load back the manager page for your alert. You will now see the Advanced Edit option.

Caution - If you had to go to "Show All settings" to make the changes then these changes you make are not replicated and you might end up doing the same change on all the search heads the same way.

View solution in original post

0 Karma

kearaspoor
SplunkTrust
SplunkTrust

The comment by gpradeepkumarreddy ended up resolving the issue but I can't accept it as an answer because it was posted as a comment. 😞

Clicking on the "Show All settings" did indeed cause the "Advanced Edit" to become visible again, on each node that I went through that extra step.

I'll also note that I've confirmed that the changes I made within the Advanced Edit window so far has replicated across all nodes. But the warning that they should be verified is greatly appreciated! I'm still trying to figure out all the "will replicate/won't replicate" minutia since clustering is still a new feature for us! Thanks for the reminder and the great suggestion!

0 Karma

pradeepkumarg
Influencer

I've converted my comment to answer. You can accept it now. Glad it helped 🙂

0 Karma

pradeepkumarg
Influencer

Click on Settings -> Show All settings. Now load back the manager page for your alert. You will now see the Advanced Edit option.

Caution - If you had to go to "Show All settings" to make the changes then these changes you make are not replicated and you might end up doing the same change on all the search heads the same way.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...