topic Re: How to disable an email alert for a single saved search through CLI or Rest API? in Alerting

How to disable an email alert for a single saved search through CLI or Rest API?

csimp2033 — Wed, 20 Apr 2016 20:54:43 GMT

I am trying to automate the silencing and un-silencing of a single email alert. Is there a way to do this through the CLI or the Rest API? I have yet to find a way that has worked.

I need to be able to do this either via the command line or through a very simple application.

I am currently trying to use curl. I have tried the following command:

curl -k -u admin:pass https://localhost:8089/servicesNS/<user>/<app>/saved/searches/<search name> -d "is_scheduled=false"

However it returns:

<response>
  <messages>
    <msg type="ERROR">
 In handler 'savedsearch': Cannot find saved search with name '<search name>' .</msg>
  </messages>
</response>

I started looking through the savedsearches.conf of the user and the search that was there is now gone and is not present in any of the other savedsearches.conf files on my server yet it shows up in the web portal.

Re: How to disable an email alert for a single saved search through CLI or Rest API?

dolivasoh — Thu, 21 Apr 2016 04:46:49 GMT

You could possibly re-write the config using http://docs.splunk.com/Documentation/Splunk/6.4.0/RESTREF/RESTconf and then fire off a debug/refresh.

Re: How to disable an email alert for a single saved search through CLI or Rest API?

csimp2033 — Thu, 21 Apr 2016 17:26:43 GMT

I attempted this and I could not figure out a way to get this to work.

Re: How to disable an email alert for a single saved search through CLI or Rest API?

csimp2033 — Tue, 29 Sep 2020 09:32:10 GMT

I figured it out. The reason that the curl command was not working was because the search was in the nobody user's saved search conf file rather than the user that created the saved search. Also the -d "is_scheduled=false" needed to be -d "is_scheduled=0"

Re: How to disable an email alert for a single saved search through CLI or Rest API?

mzorzi — Tue, 29 Sep 2020 13:48:39 GMT

You need to use -d actions="".

Example this creates the search with alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/ -d name=zzzsrch -d search=* -d is_scheduled=1 -d cron_schedule="*/2 * * * *" -d actions=email -d action.email.to="zzz@ssss.com" | grep -E "action.email\"|action.email.to"

This disable the alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/zzzsrch -d actions="" | grep -E "action.email\"|action.email.to"

Re: How to disable an email alert for a single saved search through CLI or Rest API?

pretzel2 — Mon, 18 Dec 2017 13:38:12 GMT

Is a Splunk restart required after making this call?

Re: How to disable an email alert for a single saved search through CLI or Rest API?

shawngarrettsgp — Mon, 18 Dec 2017 15:54:54 GMT

for disabling/enabling an alert, no not at all.