Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to deal with alerts that can't be enabled in the Splunk Admin UI.

sideview
SplunkTrust
SplunkTrust
‎04-29-2025 01:05 PM



Posting this in case other folks run into it.    It's possible for an app to ship an alert disabled,  in such a way that when any user tries to enable it via going to manager and selecting "Edit > Enable",   it doesn't work.

Instead of enabling the alert, nothing happens at all.   You click the green button and nothing happens.

enable_modal.png

Looking at the browser console,  there are no errors when this happens and the javascript makes no attempt to post anything at all to Splunk.  

The question has two parts.  
-- what is the root cause of this,  and how can folks avoid accidentally shipping app content like this?

-- what workaround might exist for the end users who need to enable the disabled alert?

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-29-2025 01:12 PM

1) Root cause.   It appears that this can happen when enableSched is set to "1" or "true",  but the set of actual alerting properties is somehow invalid.    
For example if the disabled alert has
action.email = 1
but specifies no value for action.email.to,  then the green "enable" button will quietly fail for all users, even admins.  It posts nothing to the backend and displays no message to the user.

2) Workaround - you can go to "Edit > Advanced  Edit",  and then scroll way down to find "is_scheduled".  Change this from "true" to "false" and submit. 

Now you will be able to "enable" the savedsearch.  And then when you click "edit schedule", you'll be able to re-enable scheduling and then the UI will tell you what required keys aren't populated yet.

(For App Developers - there are valid reasons to ship a disabled alert,  with a specific cron schedule that is somehow tied to the SPL for instance.     I believe another workaround would be to specify "example@example.com"  as the action.email.to key.  This may seem strange but the "example.com" domain is, according to RFC 2606 and RFC 6761 a reserved domain that is only for documentations and examples.)

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-29-2025 01:12 PM

1) Root cause.   It appears that this can happen when enableSched is set to "1" or "true",  but the set of actual alerting properties is somehow invalid.    
For example if the disabled alert has
action.email = 1
but specifies no value for action.email.to,  then the green "enable" button will quietly fail for all users, even admins.  It posts nothing to the backend and displays no message to the user.

2) Workaround - you can go to "Edit > Advanced  Edit",  and then scroll way down to find "is_scheduled".  Change this from "true" to "false" and submit. 

Now you will be able to "enable" the savedsearch.  And then when you click "edit schedule", you'll be able to re-enable scheduling and then the UI will tell you what required keys aren't populated yet.

(For App Developers - there are valid reasons to ship a disabled alert,  with a specific cron schedule that is somehow tied to the SPL for instance.     I believe another workaround would be to specify "example@example.com"  as the action.email.to key.  This may seem strange but the "example.com" domain is, according to RFC 2606 and RFC 6761 a reserved domain that is only for documentations and examples.)

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...