Splunk Search

Can you alter the Splunk search used for an alert?

marnee
Explorer

Can you alter the Splunk search used for an alert? I don't see any way to alter it.

I am being asked to choose a product. From the About box in our local Splunk website, it lists Cloud, so I am selecting that.

1 Solution

masonbanhammer
Engager

If you have permissions, view the alert, click the edit button, choose Open in Search. Make the changes to the query and execute the search. You should then be able to click save.,

View solution in original post

masonbanhammer
Engager

If you have permissions, view the alert, click the edit button, choose Open in Search. Make the changes to the query and execute the search. You should then be able to click save.,

rogerdpack
Path Finder

That total worked.  And wasn't intuitive...

Tags (1)
0 Karma

marnee
Explorer

Thanks for this clear answer on my very old question (when I was a newbie).

Splunk is awesome, but nothing is perfect. That way of altering the search query is so unintuitive that it still annoys me. Nobody I've worked with has ever been able to figure out how to edit a search query for an alert on their own.

A person shouldn't have to go to a manual for such a basic operation.

An improvement would be: Instead of "Open in Search", the text "Edit Search Query" would be much, much better. And then when it opens in Search, it should somehow look very different from normal search (e.g. different background color, make Save buttons much more prominent)

Maybe one day when I'm feeling ambitious, I'll figure out how and will send a suggestion to Splunk for that change, but what's the point? Most companies don't listen to such suggestions, no matter how good a company (and so many companies are forgetting about usability and about intuitive and efficient UIs these days).

cstamilarasan
Engager

Is it possible to update the alert query without recreating the alert. When I edit the alert query it is not giving the option to "Save". It give the option to "Save As", that lead us to create a new alert.,Every time when I make the changes on alert query, it forced me to save as different query / different alert. Is there any way I can modify the existing query instead of creating different alert every time ?

WillTheOnly
Engager

@cstamilarasan  You have to run the query after you edit it in order for the "Save" option to show. 

It took me a while to figure that out.

masonbanhammer
Engager

Yes, you just need to run the query after you make the edits, the save button should then be available

ChrisG
Splunk Employee
Splunk Employee

Sure! You are looking for Edit an alert search in the Alerting Manual.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

In most cases, yes you can, as they are saved searches. The Splunk Cloud User Manual is a great place to start, and there is also the Alerting Manual.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...