topic create shared splunk alert with api in Splunk Cloud Platform

create shared splunk alert with api

harpr86 — Fri, 06 Jun 2025 00:04:19 GMT

Hi,

I am trying to create alert using api, alert is not getting created in shared mode. I need to run acl command separately to give r+w access to user.

Command to create alert.

curl --location --request POST 'https://splunkHost:8089/services/saved/searches' \ --header 'Authorization: Basic Auth' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'name=test_alert_harpreet07' \ --data-urlencode 'cron_schedule=*/30 * * * *' \ --data-urlencode 'description=This alert will be triggered if proxy has 4x,5x errors' \ --data-urlencode 'dispatch.earliest_time=-30@m' \ --data-urlencode 'dispatch.latest_time=now' \ --data-urlencode 'search=search index="federated:some-index" statusCode">3*'' \ --data-urlencode 'alert_type=number of events' \ --data-urlencode 'alert.expires=730d' \ --data-urlencode 'action.email.to=xyz.abc@def.com' \ --data-urlencode 'action.email.maxresults=50' \ --data-urlencode 'action.email.subject=some-Errors' \ --data-urlencode 'dispatchAs=user' \ --data-urlencode 'action.email.from=Splunk'

to give permission to user

curl --location --request POST 'https://splunkHOST"8089/services/saved/searches/<alertName>/acl' \

--header 'Authorization: Basic Auth' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'sharing=app' \

--data-urlencode 'app=search' \

--data-urlencode 'perms.read=user' \

--data-urlencode 'perms.write=user' \

--data-urlencode 'owner=automation'

#splunk #cloud

is there a way, that alert should be created in shared mode with r+w access to user.

Re: create shared splunk alert with api

livehybrid — Fri, 06 Jun 2025 00:31:14 GMT

Hi @harpr86

Which app is the first request creating the search in?

I would recommend trying to update both of the API calls to using the servicesNS endpoints instead:

/servicesNS/<user>/<app>/saved/searches and /servicesNS/<user>/<app>/saved/searches/<alertName>/acl

e.g.

curl --location --request POST 'https://splunkHost:8089/servicesNS/automation/search/saved/searches' \ --header 'Authorization: Basic Auth' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'name=test_alert_harpreet07' \ --data-urlencode 'cron_schedule=*/30 * * * *' \ --data-urlencode 'description=This alert will be triggered if proxy has 4x,5x errors' \ --data-urlencode 'dispatch.earliest_time=-30@m' \ --data-urlencode 'dispatch.latest_time=now' \ --data-urlencode 'search=search index="federated:some-index" statusCode">3*"' \ --data-urlencode 'alert_type=number of events' \ --data-urlencode 'alert.expires=730d' \ --data-urlencode 'action.email.to=xyz.abc@def.com' \ --data-urlencode 'action.email.maxresults=50' \ --data-urlencode 'action.email.subject=some-Errors' \ --data-urlencode 'dispatchAs=user' \ --data-urlencode 'action.email.from=Splunk' curl --location --request POST 'https://splunkHost:8089/servicesNS/automation/search/saved/searches/test_alert_harpreet07/acl' \ --header 'Authorization: Basic Auth' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'sharing=app' \ --data-urlencode 'app=search' \ --data-urlencode 'perms.read=user' \ --data-urlencode 'perms.write=user' \ --data-urlencode 'owner=automation'

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: create shared splunk alert with api

harpr86 — Fri, 06 Jun 2025 15:18:04 GMT

@livehybrid thanks for your response. but, I am looking to perform the two operation in single api.

for example, at the time of creation of splunk alert , alert should have permission of r+w to user.

Re: create shared splunk alert with api

livehybrid — Fri, 06 Jun 2025 18:36:49 GMT

Hi @harpr86

Unfortunately this isn’t possible. I think this is the same when using the UI? Eg you create a search and it starts as private and then you have to update the permission to be shared.
I hope this helps, sorry it isn’t the answer you might have hoped for!