Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to deal with alerts that can't be enabled in the Splunk Admin UI.

sideview
SplunkTrust
SplunkTrust
‎04-29-2025 01:05 PM



Posting this in case other folks run into it.    It's possible for an app to ship an alert disabled,  in such a way that when any user tries to enable it via going to manager and selecting "Edit > Enable",   it doesn't work.

Instead of enabling the alert, nothing happens at all.   You click the green button and nothing happens.

enable_modal.png

Looking at the browser console,  there are no errors when this happens and the javascript makes no attempt to post anything at all to Splunk.  

The question has two parts.  
-- what is the root cause of this,  and how can folks avoid accidentally shipping app content like this?

-- what workaround might exist for the end users who need to enable the disabled alert?

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-29-2025 01:12 PM

1) Root cause.   It appears that this can happen when enableSched is set to "1" or "true",  but the set of actual alerting properties is somehow invalid.    
For example if the disabled alert has
action.email = 1
but specifies no value for action.email.to,  then the green "enable" button will quietly fail for all users, even admins.  It posts nothing to the backend and displays no message to the user.

2) Workaround - you can go to "Edit > Advanced  Edit",  and then scroll way down to find "is_scheduled".  Change this from "true" to "false" and submit. 

Now you will be able to "enable" the savedsearch.  And then when you click "edit schedule", you'll be able to re-enable scheduling and then the UI will tell you what required keys aren't populated yet.

(For App Developers - there are valid reasons to ship a disabled alert,  with a specific cron schedule that is somehow tied to the SPL for instance.     I believe another workaround would be to specify "example@example.com"  as the action.email.to key.  This may seem strange but the "example.com" domain is, according to RFC 2606 and RFC 6761 a reserved domain that is only for documentations and examples.)

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-29-2025 01:12 PM

1) Root cause.   It appears that this can happen when enableSched is set to "1" or "true",  but the set of actual alerting properties is somehow invalid.    
For example if the disabled alert has
action.email = 1
but specifies no value for action.email.to,  then the green "enable" button will quietly fail for all users, even admins.  It posts nothing to the backend and displays no message to the user.

2) Workaround - you can go to "Edit > Advanced  Edit",  and then scroll way down to find "is_scheduled".  Change this from "true" to "false" and submit. 

Now you will be able to "enable" the savedsearch.  And then when you click "edit schedule", you'll be able to re-enable scheduling and then the UI will tell you what required keys aren't populated yet.

(For App Developers - there are valid reasons to ship a disabled alert,  with a specific cron schedule that is somehow tied to the SPL for instance.     I believe another workaround would be to specify "example@example.com"  as the action.email.to key.  This may seem strange but the "example.com" domain is, according to RFC 2606 and RFC 6761 a reserved domain that is only for documentations and examples.)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...