Edit: Answer is as follows.
The important point was to replace user_context with nobody. Originally, I tried my own e-mail (request was successful but didn't apply any changes). I noticed the correct context while viewing the alert in the GUI.
The recommended method of updating the GeoLite database is to stop realtime searches. This is best done via script, so I need to tell Splunk via API to stop realtime searches. That's easy, but I can't figure out how to restart those searches. It seems that if I delete the search, give it about a minute, the search restarts.
Again, the goal is not to simply stop e-mails (or actions in general) from happening (what many of the examples from my searches suggest). I should be able to see real-time searches start/stop under Search Activity: Instance in the Monitoring Console.
You can enable/disable rule with the API:
Example with curl:
curl -k -u admin https://<host>:<mgmt_port>/servicesNS/<user_context>/<app_context>/saved/searches/<search>/disable -X POST
enable to enable.
So I expected the GUI to update when I called: https://mysplksvr:8089/servicesNS/myemail%40domain.com/search/saved/searches/My%20Search/disable
Return data just lists info about the search. Doesn't seem to reflect the changes. user_context is the owner of the search/alert.
Oops, scratch that. If I replace user_context with "nobody", it works. Caught that by looking at the URL while viewing the alert in GUI (noticed it referenced nobody).