Modify Alert with REST API


I wrote a program that uses the Splunk API to modify alerts.  I tested this on one of my alerts and it worked fine.  When I ran this against an alert that was owned by a splunk service account it created a new alert that was identical (identical name too) to the one I wanted to modify except the owner is now me.   In the API call I only provided the name of the alert and the section of the alert I wanted changed.   It looks to have duplicated the rest from the existing alert.   I also used a token associated with my username.    

When I look in the alerts menu I only see the original alert.   I need to use a search query (|rest/servicesNS/-/-/saved/searches | search alert.track=1...) to see the other alert. 

 1)  How do I delete the duplicate alert?  It does not appear under my alerts either.  I don't have access to the machine.  I could request help from someone that does though.      

2)  To modify an alert owned by someone else through the API do I need a token generated from their account?  I can edit the alert through the GUI.



Labels (1)
Tags (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!