How do you disable a search validation when creati...

joemaz95 · ‎08-29-2018

I'm transferring an alert from one Splunk instance to another via REST api. The alert contains a custom search command, but the new Splunk doesn't have the search command set yet. When I try to create the alert, I get an error saying "http 400 bad request - Search factory: unknown search command." Is there any way to turn off the validation that's identifying the lack of a search command here? Thanks in advance.

mstjohn_splunk · ‎08-30-2018

Hey @joemaz95 , did you solve your problem? If you keep us updated on your progress, you have a better chance of getting your question answered.

Also, If you want to try to get some immediate help for your question, you could join the 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.

You first have to request access through https://splk.it/slack Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.

joemaz95 · ‎08-31-2018

Thanks for your input! I haven't made much headway with my issue, so maybe I'll give the slack chat a try.

richgalloway · ‎08-29-2018

Why not create the search command first?

---
If this reply helps you, Karma would be appreciated.

joemaz95 · ‎08-30-2018

The search command that I need to create has another dependency that wont be set up yet, so I was hoping to create the search before waiting for this domino effect to be set off.

How do you disable a search validation when creating an alert?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...