Splunk Search

Alert time range not saving correctly; get "Your changes to the time range of this alert will not be saved. " when I attempt to fix it

Path Finder

I've set up a very simple alert to fire when my indexing volume exceeds a specific value.

index=_internal source=*license_usage.log type="Usage" | stats sum(b) as indexed_today | where indexed_today > 60000000000

I use the timerange preset of "Today". Then I create an alert to fire if I get any events. Run it every hour.

It isn't firing as I would expect. (Verified that there is a result before I save the search). I edit the search and find the timerange is set to last 1 hour. When I change it back to the preset of "today" and click save I get the warning popup "Your changes to the time range of this alert will not be saved."

Why is this?

Advice appreciated.


Tags (1)


I got it guys: Edit Alert > Alert type > Scheduled and below select Run on Cron Schedule -> Select time range


A year late and a dollar short but we have the same issue on version 7.1.1 and I found that I could change the time range in savedsearches.conf accompanied by a /debug/refresh in order to use custom time on alerts.


Just noticed that some alert allow to change the time range, and some other not. I have no idea what is the difference between both

0 Karma


I have the same problem in 7.0.2
I save the original alert with time range -1d@d @d and Splunk save it as -1d now.
Then it is not possible to edit the alert to change the time range because the alert editor does not allow to change that parameter and says "Your changes to the time range of this alert will not be saved."

I think a lot of people have this problem, but are not aware of. I'm pretty sure we missed some very important alerts in the past because of that. scary...

Perhaps i can use earliest=-1d@d latest=@d as a workaround. But i will have to to that in all my hundreds of alerts

0 Karma

Splunk Employee
Splunk Employee

Essentially there are many ways to edit the Splunk knowledge objects like Report, Alert(i.e Scheduled search) Etc. In your case you have create some alert/scheduled search and later to edit ti t you navigate to App:Search & Reporting> Alerts and you will see Alert names . Now to edit any given alert you have few options here.

1) In your case you navigated to App:Search & Reporting> Alerts and for the relevant alert Clicked “Open in Search” . Once you open it in search mode and make change to time and try to save it. That won’t work and result in error seen by you. This is because you are trying to save existing alert as Simple saved search.

Now to edit the saved search/alert, you should use following options.

i) One you can click can click on Setting>Search,reports,and alert and here you can look for your Alert name and drill down on Name and edit the alert/Saved search.
ii) The other option, will be navigate to App:Search & Reporting> Alerts and here drill down on the name of the Alert.
iii) One other option will be to navigate to App:Search & Reporting> Alerts and click on Edit option for the alert to be edited.

Hope this helps.

0 Karma


Lets say you want to switch to 5 min window to 30 min window, in which alert edit option can you do this? I dont want to edit desc, perm, actions. I need to change search time window, so your suggestions wont work for me.

However this is not related to update, whatever i choose as my time filter it is always All Time(realtime) when i save an alert and try to edit via open in search. So i think i am missing something fundemental here, i also dont think this is a bug, i am trying to do something in a way i am not supposed to do 🙂


Seems there is a bug when saving an alert. The search time range is not saved as set in the search.

However you can change the search time range when editing the alert, choose cron schedule and set the 'Earliest' and 'Latest' fields.

This needs to be fixed by the Splunk team though so it is saved correctly and editable for other alert schedule types.


This has happened to me as well in latest version 6.

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...