https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334732#M61898 <P>@Rikh Did you got this problem solved? If yes can you please post a solution here .</P> Mon, 17 Dec 2018 23:58:36 GMT nilendra19888 2018-12-17T23:58:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334731#M61897 <P>I can GET the definition of a saved search (report) from our dev server with a call like</P> <PRE><CODE>curl -k -u me:word <A href="https://splunk-for-dev:8089/serviceNS/me/my-app/saved/searches/my-report" target="test_blank">https://splunk-for-dev:8089/serviceNS/me/my-app/saved/searches/my-report</A> </CODE></PRE> <P>How do I use the resulting XML/JSON to POST to our prod server? The closest that I've found is something like</P> <PRE><CODE>curl -k -u me:word <A href="https://splunk-for-prod:8089/serviceNS/me/my-app/saved/searches" target="test_blank">https://splunk-for-prod:8089/serviceNS/me/my-app/saved/searches</A> \ -d name=my-report -d search=... </CODE></PRE> <P>But that means going through the XML/JSON and working out which are the non-default values and a whole lot of text munging. Surely there is a way that I can just post the XML/JSON that I've already got?</P> Thu, 25 Jan 2018 13:27:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334731#M61897 RikH 2018-01-25T13:27:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334732#M61898 <P>@Rikh Did you got this problem solved? If yes can you please post a solution here .</P> Mon, 17 Dec 2018 23:58:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334732#M61898 nilendra19888 2018-12-17T23:58:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334733#M61899 <P>Do you know how to write an API call to get the result in UI?</P> Thu, 03 Jan 2019 22:09:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334733#M61899 tejureddy101 2019-01-03T22:09:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334734#M61900 <P>Sometimes back I did like below, I basically had to write a python code to achieve this, I am posting a sample code,<BR /> Please note that its a very primitive code where exception handling is not proper and code modularise is not there. Let me briefly explain what it does,</P> <OL> <LI>I have a alert in my local called "demo"</LI> <LI>First I am getting the alert json payload using python request module (I am able to convert the cURL request to python here). </LI> <LI>Now here the drama started while I am posting it to splunk. First of all I am not able to convert the cURL post request to python, even sending the data through dictionary also not working. So I directly called cURL in python. Now the second challange was the payload. Only the content payload itself so heavy that if I pass it to curl its not able to handle. Thats why I thought I will only send those data which user is able to change from UI. Thats why key_list comes into picture. The list is not exhaustive. </LI> <LI>Now the code is pusing the "demo" alert payload to a new alert called "sid". Thats why I have changed the name(hardcoded). So in the post request we need to give the new server url. </LI> <LI><P>I haven't handle the scenario where if the alert exists it should update otherwise it should create a new alert. I think that should be easy to implement. </P> <PRE><CODE>import requests as req import json import shlex import subprocess def get_alert_dtl_frm_splunk(requestURL,parameters,auth): response=req.get(url=requestURL,params=parameters,verify=False,auth=auth) if response.status_code !=200: print('Status: ',response.status_code,'Headers: ',response.headers,'Error Response: ',response.json()) exit() data=response.json() return json.dumps(data) def main(): #preparing the data for get request requestURL = 'https://localhost:8089/servicesNS/admin/tmdb/saved/searches/demo' params = (('output_mode', 'json'),) auth=('admin', 'monitor!') #get the alert json from one splunk instance data = get_alert_dtl_frm_splunk(requestURL,params,auth) data = json.loads(data) alert_content_json = data["entry"][0]["content"] #print(data) #post to splunk alert_content_json["name"] = "Sid" cmd ='curl -k -u admin:monitor! <A href="https://localhost:8089/servicesNS/admin/tmdb/saved/searches'" target="test_blank">https://localhost:8089/servicesNS/admin/tmdb/saved/searches'</A>; cmd = cmd + " --data-urlencode name=" + alert_content_json["name"] #as first argument of curl has to be name key_list = ["alert.severity","alert.suppress","alert.track","alert_type","cron_schedule","is_scheduled","alert_threshold","alert_comparator","search"] #need to do this as cUrl command is not able to send the full payload for key in alert_content_json.keys(): if key in key_list: value = str(alert_content_json[key]) value = value.replace("\"","\"\"") value = value.replace("\\n","\\") cmd = cmd + " --data-urlencode " + key + '="' + value + "\"" #print(cmd) args = shlex.split(cmd) process = subprocess.call(args, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = process.communicate() main() </CODE></PRE></LI> </OL> Fri, 04 Jan 2019 05:09:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-POST-Saved-Search-XML-JSON-Definition-to-REST-API/m-p/334734#M61900 sdchakraborty 2019-01-04T05:09:21Z