contentctl icon indicating copy to clipboard operation
contentctl copied to clipboard

Published 20 hours ago verified publisher icon splunk

Lookup validation - Ignore local=true

Open 0xC0FFEEEE opened this issue 1 year ago • 1 comments

We've modified a couple of our Azure AD rules to use local=true as the ESCU searches fail on our cloud ES search head.

After converting our savedsearches.conf search back to YAML and running validation over the rules, contentctl complains that the local=true lookup doesn't exist. This simple change adds an an additional non-capture group to ignore this option.

0xC0FFEEEE avatar Nov 22 '23 09:11 0xC0FFEEEE