How to resolve "Bulk upload failed to update a saved query" error in Panther

Last updated: April 15, 2025

Issue

When trying to upload to my Panther Console using panther_analysis_tool I am getting an error:

[ERROR]: {'message': 'bulk upload failed to update a saved query', ...

Resolution

To resolve this issue:

  • Check if your panther_analysis_tool upload command is uploading any scheduled queries.

    • If you are uploading any scheduled queries via panther_analysis_tool upload, you can fix this via one of the following methods:

      • Option 1: Examine the scheduled query that is being uploaded and verify it's valid:

        1. Ensure you are using fully qualified table names in your query (eg: select * from panther_logs.public.custom_tablename instead of select * from custom_tablename)

        2. Make sure any table names referenced in the query exist in your Panther Console.

        3. Make sure there aren't any comments added to the last line of a query.

        4. Check if any column names at the top-level of the query have special characters, and alias them (eg: select problematic.ColumnName as somethingelse)

        5. Check if your query is a long-running query. If so, try to reduce the time it runs by limiting the data it queries via a where clause on the event_time (eg: where p_occurs_since('1 hour')). Another option is to avoid the use of the SQL clause SELECT DISTINCT * because using this clause on a large dataset has caused timeouts.

        6. Make sure your query doesn't use SQL's CALL command, since we currently don't support this. If your detection depends on a routine called by SQL, reach out to our support team for more assistance.

      • Option 2: Disable any scheduled query you do not wish to upload by editing the yaml file for the scheduled query and marking enabled: false.

  • Check that all scheduled queries that you are uploading are free of the following unallowed characters as part of their column aliases:

    • . , - \" ( ) :

  • If you are not intending to upload any scheduled queries, you can explicitly tell panther_analysis_tool to ignore them by adding a --filter KEY=VALUE argument to your panther_analysis_tool upload command. For example, to only upload rules,policies, and global helpers you can add: --filter AnalysisType=policy,rule,global

  • If you are uploading a saved/scheduled query via CI/CD, please try using the below syntax in your yml file:
    Query: |-
    The corresponding section from our documentation provides all the relevant information on how to craft a saved search.

Cause

When you upload a scheduled query to your Panther Console, Panther will run this query first to verify if the query is valid before allowing it to be saved as a scheduled query. So if there is an error in running this query, Panther will not allow the upload to succeed.

This only applied to *enabled* scheduled queries, which is why one of the options to resolve such errors is to simply mark your scheduled query as enabled:falsein your yaml file. Alternatively, the other suggestions in the resolution section above are some common ways that a query can be invalid, so if you do wish to upload a scheduled query, see the suggestions above on how to verify that your query is valid.