Alerting

How to disable an email alert for a single saved search through CLI or Rest API?

csimp2033
Explorer

I am trying to automate the silencing and un-silencing of a single email alert. Is there a way to do this through the CLI or the Rest API? I have yet to find a way that has worked.

I need to be able to do this either via the command line or through a very simple application.

I am currently trying to use curl. I have tried the following command:

curl -k -u admin:pass https://localhost:8089/servicesNS/<user>/<app>/saved/searches/<search name> -d "is_scheduled=false"

However it returns:

<response>
  <messages>
    <msg type="ERROR">
 In handler 'savedsearch': Cannot find saved search with name '<search name>' .</msg>
  </messages>
</response>

I started looking through the savedsearches.conf of the user and the search that was there is now gone and is not present in any of the other savedsearches.conf files on my server yet it shows up in the web portal.

1 Solution

csimp2033
Explorer

I figured it out. The reason that the curl command was not working was because the search was in the nobody user's saved search conf file rather than the user that created the saved search. Also the -d "is_scheduled=false" needed to be -d "is_scheduled=0"

View solution in original post

pretzel2
Path Finder

Is a Splunk restart required after making this call?

0 Karma

shawngarrettsgp
Path Finder

for disabling/enabling an alert, no not at all.

0 Karma

mzorzi
Splunk Employee
Splunk Employee

You need to use -d actions="".

Example this creates the search with alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/ -d name=zzzsrch -d search=* -d is_scheduled=1 -d cron_schedule="*/2 * * * *" -d actions=email -d action.email.to="zzz@ssss.com" | grep -E "action.email\"|action.email.to"

This disable the alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/zzzsrch -d actions="" | grep -E "action.email\"|action.email.to"

0 Karma

csimp2033
Explorer

I figured it out. The reason that the curl command was not working was because the search was in the nobody user's saved search conf file rather than the user that created the saved search. Also the -d "is_scheduled=false" needed to be -d "is_scheduled=0"

dolivasoh
Contributor

You could possibly re-write the config using http://docs.splunk.com/Documentation/Splunk/6.4.0/RESTREF/RESTconf and then fire off a debug/refresh.

0 Karma

csimp2033
Explorer

I attempted this and I could not figure out a way to get this to work.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...