topic REST API Saved Searches POST Duplicating Searches in Getting Data In https://community.splunk.com/t5/Getting-Data-In/REST-API-Saved-Searches-POST-Duplicating-Searches/m-p/490581#M83860 <P>I'm trying to use the REST API to update a large number of alerts/saved searches across multiple environments. Specifically, I want to update to ensure that CSV's are attached to emails. I'm testing this in a lab on Splunk 8.0.2.</P> <P>I've tried using both of these:<BR /> 'curl -u splunk_user:splunk_pass -X POST -sk "<A href="https://splunk_ip:8089/services/saved/searches/(search" target="_blank">https://splunk_ip:8089/services/saved/searches/(search</A> title URL encoded)" -d action.email.sendcsv=1'<BR /> 'curl -u splunk_user:splunk_pass -X POST -sk "<A href="https://splunk_ip:8089/servicesNS/(owner)/(app)/saved/searches/(search" target="_blank">https://splunk_ip:8089/servicesNS/(owner)/(app)/saved/searches/(search</A> title URL encoded)" -d action.email.sendcsv=1' </P> <P>However, what seems to be happening is that the alerts are being cloned into a report instead of being updated themselves. The name is identical, and the search is being copied over despite not being in the curl request. </P> <P>Not sure what is going wrong with these API calls. They look correct by my reading of the API documentation, but I may be overlooking something.</P> Wed, 30 Sep 2020 05:17:47 GMT stranjer 2020-09-30T05:17:47Z REST API Saved Searches POST Duplicating Searches https://community.splunk.com/t5/Getting-Data-In/REST-API-Saved-Searches-POST-Duplicating-Searches/m-p/490581#M83860 <P>I'm trying to use the REST API to update a large number of alerts/saved searches across multiple environments. Specifically, I want to update to ensure that CSV's are attached to emails. I'm testing this in a lab on Splunk 8.0.2.</P> <P>I've tried using both of these:<BR /> 'curl -u splunk_user:splunk_pass -X POST -sk "<A href="https://splunk_ip:8089/services/saved/searches/(search" target="_blank">https://splunk_ip:8089/services/saved/searches/(search</A> title URL encoded)" -d action.email.sendcsv=1'<BR /> 'curl -u splunk_user:splunk_pass -X POST -sk "<A href="https://splunk_ip:8089/servicesNS/(owner)/(app)/saved/searches/(search" target="_blank">https://splunk_ip:8089/servicesNS/(owner)/(app)/saved/searches/(search</A> title URL encoded)" -d action.email.sendcsv=1' </P> <P>However, what seems to be happening is that the alerts are being cloned into a report instead of being updated themselves. The name is identical, and the search is being copied over despite not being in the curl request. </P> <P>Not sure what is going wrong with these API calls. They look correct by my reading of the API documentation, but I may be overlooking something.</P> Wed, 30 Sep 2020 05:17:47 GMT https://community.splunk.com/t5/Getting-Data-In/REST-API-Saved-Searches-POST-Duplicating-Searches/m-p/490581#M83860 stranjer 2020-09-30T05:17:47Z