I wrote a program that uses the Splunk API to modify alerts. I tested this on one of my alerts and it worked fine. When I ran this against an alert that was owned by a splunk service account it created a new alert that was identical (identical name too) to the one I wanted to modify except the owner is now me. In the API call I only provided the name of the alert and the section of the alert I wanted changed. It looks to have duplicated the rest from the existing alert. I also used a token associated with my username.
When I look in the alerts menu I only see the original alert. I need to use a search query (|rest/servicesNS/-/-/saved/searches | search alert.track=1...) to see the other alert.
1) How do I delete the duplicate alert? It does not appear under my alerts either. I don't have access to the machine. I could request help from someone that does though.
2) To modify an alert owned by someone else through the API do I need a token generated from their account? I can edit the alert through the GUI.
Thanks.
Scott