Hi Splunk users,
I know that we can change ownership of alerts in this file:
/etc/apps/App_Name/metadata/local.meta
But I need a strategy where I can change the ownership of alerts in bulk (we have too many alerts)
this is an example of one of the alert stanza in my local.meta file.
[savedsearches/myAlert1]
export = none
owner = admin
version = 7.3.0
modtime = 1577505159.261205000
I tried to replace the stanza head with [savedsearches/*] hoping that the wild card will represent all of the alerts in this app, but it did not work. Looking for suggestion.
Regards.