Splunk_Docker/files/splunk-etc/apps/alert_logevent/default/restmap.conf

[validation:savedsearch]
# Require event to be set if logevent action is enabled
action.logevent = case('action.logevent' != "1", null(), 'action.logevent.param.event' == "action.logevent.param.event" OR 'action.logevent.param.event' == "", "No event text specified for log event action",  1==1, null())
	`[validation:savedsearch]`
	`# Require event to be set if logevent action is enabled`
	`action.logevent = case('action.logevent' != "1", null(), 'action.logevent.param.event' == "action.logevent.param.event" OR 'action.logevent.param.event' == "", "No event text specified for log event action", 1==1, null())`