Splunk Search
Highlighted

Can you alter the Splunk search used for an alert?

Explorer

Can you alter the Splunk search used for an alert? I don't see any way to alter it.

I am being asked to choose a product. From the About box in our local Splunk website, it lists Cloud, so I am selecting that.

0 Karma
Highlighted

Re: Can you alter the Splunk search used for an alert?

SplunkTrust
SplunkTrust

In most cases, yes you can, as they are saved searches. The Splunk Cloud User Manual is a great place to start, and there is also the Alerting Manual.

0 Karma
Highlighted

Re: Can you alter the Splunk search used for an alert?

Splunk Employee
Splunk Employee

Sure! You are looking for Edit an alert search in the Alerting Manual.

0 Karma
Highlighted

Re: Can you alter the Splunk search used for an alert?

New Member

Is it possible to update the alert query without recreating the alert. When I edit the alert query it is not giving the option to "Save". It give the option to "Save As", that lead us to create a new alert.,Every time when I make the changes on alert query, it forced me to save as different query / different alert. Is there any way I can modify the existing query instead of creating different alert every time ?

0 Karma
Highlighted

Re: Can you alter the Splunk search used for an alert?

Yes, you just need to run the query after you make the edits, the save button should then be available

0 Karma
Highlighted

Re: Can you alter the Splunk search used for an alert?

If you have permissions, view the alert, click the edit button, choose Open in Search. Make the changes to the query and execute the search. You should then be able to click save.,

View solution in original post

Highlighted

Re: Can you alter the Splunk search used for an alert?

Explorer

Thanks for this clear answer on my very old question (when I was a newbie).

Splunk is awesome, but nothing is perfect. That way of altering the search query is so unintuitive that it still annoys me. Nobody I've worked with has ever been able to figure out how to edit a search query for an alert on their own.

A person shouldn't have to go to a manual for such a basic operation.

An improvement would be: Instead of "Open in Search", the text "Edit Search Query" would be much, much better. And then when it opens in Search, it should somehow look very different from normal search (e.g. different background color, make Save buttons much more prominent)

Maybe one day when I'm feeling ambitious, I'll figure out how and will send a suggestion to Splunk for that change, but what's the point? Most companies don't listen to such suggestions, no matter how good a company (and so many companies are forgetting about usability and about intuitive and efficient UIs these days).