I'm transferring an alert from one Splunk instance to another via REST api. The alert contains a custom search command, but the new Splunk doesn't have the search command set yet. When I try to create the alert, I get an error saying "http 400 bad request - Search factory: unknown search command."
Is there any way to turn off the validation that's identifying the lack of a search command here? Thanks in advance.
Hey @joemaz95 , did you solve your problem? If you keep us updated on your progress, you have a better chance of getting your question answered.
Also, If you want to try to get some immediate help for your question, you could join the 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.
You first have to request access through https://splk.it/slack Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.
Thanks for your input! I haven't made much headway with my issue, so maybe I'll give the slack chat a try.
Why not create the search command first?
The search command that I need to create has another dependency that wont be set up yet, so I was hoping to create the search before waiting for this domino effect to be set off.