topic Re: How to set up a curl script to enable a scheduled search when an alert is triggered? in Alerting

How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24 — Mon, 28 Mar 2016 21:26:58 GMT

Hello,

I'm trying to set up a curl script to enable/disable a search under "Searches, reports, and alerts" when an alert is triggered. I've done some searching on the boards and found the example below, but it's not working for me.

curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"

Basically, a curl or CLI command that will drop a check mark in the box in the screen shot for me so I can script that out would solve my issue.

Anyone have any suggestions?

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

frobinson_splun — Mon, 28 Mar 2016 22:33:29 GMT

Hi @sidekix24,
Here is some documentation on the script alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Runscriptaction

As of software version 6.3, the script alert action is deprecated, just FYI. You might want to consider a custom alert action as an alternative:
http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

This documentation on the saved/searches/{name} endpoint might also help with updating the search scheduling as part of the alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D

Hope this helps!

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24 — Wed, 30 Mar 2016 18:27:55 GMT

Thank you,

Is there something that needs to be enabled to run these commands?

In the output, I get the message below. The output doesn't match what I expect to see compared to the output in documents.

Splunk relies on JavaScript to function properly.
Please enable JavaScript and then refresh the page to login.

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24 — Wed, 30 Mar 2016 19:10:33 GMT

ok...I'm getting a little further but need some assistance if someone can help.

I'm running the command below:

-k -u admin:pass -XPOST https://splunk.server/en-US/account/login?return_to=%2Fen-US%2Fmanager%2Flauncher%2Fsaved%2Fsearches%2FEnable%2520Test%2520status

And I'm getting this in return:

{"status":1}

I've tried enabling and disabling the status of the saved search in "Searches, reports, and alerts" but that status doesn't change every time I run that command, it stays at {"status":1}.

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24 — Wed, 30 Mar 2016 20:41:36 GMT

Even a command to enable/disable the saved search would solve my issue 🙂

Thanks again

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

frobinson_splun — Wed, 30 Mar 2016 22:56:06 GMT

Hi @sidekix24,
Thanks for the follow-up. Sounds like something is not quite right. I'm going to run your questions by some of my colleagues. I'll report back ASAP!

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24 — Fri, 01 Apr 2016 15:50:04 GMT

Thank you...your colleagues come back with anything yet?

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

frobinson_splun — Tue, 29 Sep 2020 09:17:19 GMT

Thanks for hanging in there. Can you confirm that the URL you posted above is the one you're using? I'm curious about what happens if/when you use the saved/searches/{name_of_your_search} endpoint that I mentioned above in the REST documentation...

Importantly, be sure to specify the name of the saved search that you want to schedule as part of the URL you are using here.

For example, one of my colleagues posted this example:

curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"

curl -ku admin:changeme https://localhost:8089/servicesNS/admin/seach/saved/searches/foobar -d "is_scheduled=0"

in this older Answers post that I think might help:
https://answers.splunk.com/answers/174869/how-to-disable-scheduled-searches-via-command-line.html

Re: How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24 — Wed, 06 Apr 2016 16:21:54 GMT

frobinson,

I got it working. My endpoints were incorrect for the saved searches. Once I fixed those, the whole process came together and worked. I was able to successfully build a script to trigger a second search then another script to disable that search once it sends out the "all clear" message.

Thanks for the help