Skip to main content
Panther Knowledge Base

How to resolve "Bulk upload failed to update a saved query" error in Panther


When trying to upload to my Panther Console using panther_analysis_tool I am getting an error:

[ERROR]: {'message': 'bulk upload failed to update a saved query', ...


To resolve this issue:

  • Check if your panther_analysis_tool upload command is uploading any scheduled queries.
    • If you are uploading any scheduled queries via panther_analysis_tool upload, you can fix this via one of the following methods:
      • Option 1: Examine the scheduled query that is being uploaded and verify it's valid:
        1. Ensure you are using fully qualified table names in your query (eg: select * from panther_logs.public.custom_tablename instead of select * from custom_tablename)
        2. Make sure any table names referenced in the query exist in your Panther Console.
        3. Make sure there aren't any comments added to the last line of a query.
        4. Check if any column names at the top-level of the query have special characters, and alias them (eg: select problematic.ColumnName as somethingelse)
        5. Check if your query is a long-running query. If so, try to reduce the time it runs by limiting the data it queries via a where clause on the event_time (eg: where p_occurs_since('1 hour')). Another option is to avoid the use of the SQL clause SELECT DISTINCT * because using this clause on a large dataset has caused timeouts.
        6. Make sure your query doesn't use SQL's CALL command, since we currently don't support this. If your detection depends on a routine called by SQL, reach out to our support team for more assistance.
      • Option 2: Disable any scheduled query you do not wish to upload by editing the yaml file for the scheduled query and marking enabled: false.
  • Check that all scheduled queries that you are uploading are free of the following unallowed characters as part of their column aliases:
    • . , - \" ( ) :
  • If you are not intending to upload any scheduled queries, you can explicitly tell panther_analysis_tool to ignore them by adding a --filter KEY=VALUE argument to your panther_analysis_tool upload command. For example, to only upload rules,policies, and global helpers you can add: --filter AnalysisType=policy,rule,global


When you upload a scheduled query to your Panther Console, Panther will run this query first to verify if the query is valid before allowing it to be saved as a scheduled query. So if there is an error in running this query, Panther will not allow the upload to succeed.

This only applied to *enabled* scheduled queries, which is why one of the options to resolve such errors is to simply mark your scheduled query as enabled: falsein your yaml file. Alternatively, the other suggestions in the resolution section above are some common ways that a query can be invalid, so if you do wish to upload a scheduled query, see the suggestions above on how to verify that your query is valid.