Is it possible to update the alert query without recreating the alert. When I edit the alert query it is not giving the option to "Save". It give the option to "Save As", that lead us to create a new alert.,Every time when I make the changes on alert query, it forced me to save as different query / different alert. Is there any way I can modify the existing query instead of creating different alert every time ?
If you have permissions, view the alert, click the edit button, choose Open in Search. Make the changes to the query and execute the search. You should then be able to click save.,
Thanks for this clear answer on my very old question (when I was a newbie).
Splunk is awesome, but nothing is perfect. That way of altering the search query is so unintuitive that it still annoys me. Nobody I've worked with has ever been able to figure out how to edit a search query for an alert on their own.
A person shouldn't have to go to a manual for such a basic operation.
An improvement would be: Instead of "Open in Search", the text "Edit Search Query" would be much, much better. And then when it opens in Search, it should somehow look very different from normal search (e.g. different background color, make Save buttons much more prominent)
Maybe one day when I'm feeling ambitious, I'll figure out how and will send a suggestion to Splunk for that change, but what's the point? Most companies don't listen to such suggestions, no matter how good a company (and so many companies are forgetting about usability and about intuitive and efficient UIs these days).