Splunk Search

Alert time range not saving correctly; get "Your changes to the time range of this alert will not be saved. " when I attempt to fix it

di2esysadmin
Path Finder

I've set up a very simple alert to fire when my indexing volume exceeds a specific value.

index=_internal source=*license_usage.log type="Usage" | stats sum(b) as indexed_today | where indexed_today > 60000000000

I use the timerange preset of "Today". Then I create an alert to fire if I get any events. Run it every hour.

It isn't firing as I would expect. (Verified that there is a result before I save the search). I edit the search and find the timerange is set to last 1 hour. When I change it back to the preset of "today" and click save I get the warning popup "Your changes to the time range of this alert will not be saved."

Why is this?

Advice appreciated.

Karla

Tags (1)

schneidermayer
Engager

I got it guys: Edit Alert > Alert type > Scheduled and below select Run on Cron Schedule -> Select time range

okheggdal
Explorer

A year late and a dollar short but we have the same issue on version 7.1.1 and I found that I could change the time range in savedsearches.conf accompanied by a /debug/refresh in order to use custom time on alerts.

filou
Explorer

Just noticed that some alert allow to change the time range, and some other not. I have no idea what is the difference between both

0 Karma

filou
Explorer

I have the same problem in 7.0.2
I save the original alert with time range -1d@d @d and Splunk save it as -1d now.
Then it is not possible to edit the alert to change the time range because the alert editor does not allow to change that parameter and says "Your changes to the time range of this alert will not be saved."

I think a lot of people have this problem, but are not aware of. I'm pretty sure we missed some very important alerts in the past because of that. scary...

Perhaps i can use earliest=-1d@d latest=@d as a workaround. But i will have to to that in all my hundreds of alerts

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

Essentially there are many ways to edit the Splunk knowledge objects like Report, Alert(i.e Scheduled search) Etc. In your case you have create some alert/scheduled search and later to edit ti t you navigate to App:Search & Reporting> Alerts and you will see Alert names . Now to edit any given alert you have few options here.

1) In your case you navigated to App:Search & Reporting> Alerts and for the relevant alert Clicked “Open in Search” . Once you open it in search mode and make change to time and try to save it. That won’t work and result in error seen by you. This is because you are trying to save existing alert as Simple saved search.

Now to edit the saved search/alert, you should use following options.

i) One you can click can click on Setting>Search,reports,and alert and here you can look for your Alert name and drill down on Name and edit the alert/Saved search.
ii) The other option, will be navigate to App:Search & Reporting> Alerts and here drill down on the name of the Alert.
iii) One other option will be to navigate to App:Search & Reporting> Alerts and click on Edit option for the alert to be edited.

Hope this helps.

0 Karma

canuzun
Explorer

Lets say you want to switch to 5 min window to 30 min window, in which alert edit option can you do this? I dont want to edit desc, perm, actions. I need to change search time window, so your suggestions wont work for me.

However this is not related to update, whatever i choose as my time filter it is always All Time(realtime) when i save an alert and try to edit via open in search. So i think i am missing something fundemental here, i also dont think this is a bug, i am trying to do something in a way i am not supposed to do 🙂

wiika
Engager

Seems there is a bug when saving an alert. The search time range is not saved as set in the search.

However you can change the search time range when editing the alert, choose cron schedule and set the 'Earliest' and 'Latest' fields.

This needs to be fixed by the Splunk team though so it is saved correctly and editable for other alert schedule types.

lespider
Explorer

This has happened to me as well in latest version 6.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...