I've set up a very simple alert to fire when my indexing volume exceeds a specific value.
index=_internal source=*license_usage.log type="Usage" | stats sum(b) as indexed_today | where indexed_today > 60000000000
I use the timerange preset of "Today". Then I create an alert to fire if I get any events. Run it every hour.
It isn't firing as I would expect. (Verified that there is a result before I save the search). I edit the search and find the timerange is set to last 1 hour. When I change it back to the preset of "today" and click save I get the warning popup "Your changes to the time range of this alert will not be saved."
Why is this?
A year late and a dollar short but we have the same issue on version 7.1.1 and I found that I could change the time range in savedsearches.conf accompanied by a /debug/refresh in order to use custom time on alerts.
I have the same problem in 7.0.2
I save the original alert with time range -1d@d @d and Splunk save it as -1d now.
Then it is not possible to edit the alert to change the time range because the alert editor does not allow to change that parameter and says "Your changes to the time range of this alert will not be saved."
I think a lot of people have this problem, but are not aware of. I'm pretty sure we missed some very important alerts in the past because of that. scary...
Perhaps i can use earliest=-1d@d latest=@d as a workaround. But i will have to to that in all my hundreds of alerts
Essentially there are many ways to edit the Splunk knowledge objects like Report, Alert(i.e Scheduled search) Etc. In your case you have create some alert/scheduled search and later to edit ti t you navigate to App:Search & Reporting> Alerts and you will see Alert names . Now to edit any given alert you have few options here.
1) In your case you navigated to App:Search & Reporting> Alerts and for the relevant alert Clicked “Open in Search” . Once you open it in search mode and make change to time and try to save it. That won’t work and result in error seen by you. This is because you are trying to save existing alert as Simple saved search.
Now to edit the saved search/alert, you should use following options.
i) One you can click can click on Setting>Search,reports,and alert and here you can look for your Alert name and drill down on Name and edit the alert/Saved search.
ii) The other option, will be navigate to App:Search & Reporting> Alerts and here drill down on the name of the Alert.
iii) One other option will be to navigate to App:Search & Reporting> Alerts and click on Edit option for the alert to be edited.
Hope this helps.
Lets say you want to switch to 5 min window to 30 min window, in which alert edit option can you do this? I dont want to edit desc, perm, actions. I need to change search time window, so your suggestions wont work for me.
However this is not related to update, whatever i choose as my time filter it is always All Time(realtime) when i save an alert and try to edit via open in search. So i think i am missing something fundemental here, i also dont think this is a bug, i am trying to do something in a way i am not supposed to do 🙂
Seems there is a bug when saving an alert. The search time range is not saved as set in the search.
However you can change the search time range when editing the alert, choose cron schedule and set the 'Earliest' and 'Latest' fields.
This needs to be fixed by the Splunk team though so it is saved correctly and editable for other alert schedule types.