I was having a similar issue, query runs fine but for whatever reason Splunk wasn't liking the rising column I was picking and wouldn't let me move to the next screen. I went in and just created the input in db_inputs.conf and restarted Splunk and it started working. I'm guessing there is some logic checking that is busted in the UI for the app.
... View more
I had the same error, but a different fix. I had actually created a lookup with same name as an existing lookup, but with different fields. This name collision was causing the error. I changed the name of the new lookup and the errors went away. I honestly wouldn't have found my issue if it wasn't for this thread.
... View more
Check to make sure your Splunk instances as well as the system that you are collecting logs from are synced to NTP.
Having system time off on any of these can absolutely screw up alerting.
That includes validating that the timezones are correct.
... View more