Alerting

How to disable an email alert for a single saved search through CLI or Rest API?

csimp2033
Explorer

I am trying to automate the silencing and un-silencing of a single email alert. Is there a way to do this through the CLI or the Rest API? I have yet to find a way that has worked.

I need to be able to do this either via the command line or through a very simple application.

I am currently trying to use curl. I have tried the following command:

curl -k -u admin:pass https://localhost:8089/servicesNS/<user>/<app>/saved/searches/<search name> -d "is_scheduled=false"

However it returns:

<response>
  <messages>
    <msg type="ERROR">
 In handler 'savedsearch': Cannot find saved search with name '<search name>' .</msg>
  </messages>
</response>

I started looking through the savedsearches.conf of the user and the search that was there is now gone and is not present in any of the other savedsearches.conf files on my server yet it shows up in the web portal.

1 Solution

csimp2033
Explorer

I figured it out. The reason that the curl command was not working was because the search was in the nobody user's saved search conf file rather than the user that created the saved search. Also the -d "is_scheduled=false" needed to be -d "is_scheduled=0"

View solution in original post

pretzel2
Path Finder

Is a Splunk restart required after making this call?

0 Karma

shawngarrettsgp
Path Finder

for disabling/enabling an alert, no not at all.

0 Karma

mzorzi
Splunk Employee
Splunk Employee

You need to use -d actions="".

Example this creates the search with alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/ -d name=zzzsrch -d search=* -d is_scheduled=1 -d cron_schedule="*/2 * * * *" -d actions=email -d action.email.to="zzz@ssss.com" | grep -E "action.email\"|action.email.to"

This disable the alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/zzzsrch -d actions="" | grep -E "action.email\"|action.email.to"

0 Karma

csimp2033
Explorer

I figured it out. The reason that the curl command was not working was because the search was in the nobody user's saved search conf file rather than the user that created the saved search. Also the -d "is_scheduled=false" needed to be -d "is_scheduled=0"

dolivasoh
Contributor

You could possibly re-write the config using http://docs.splunk.com/Documentation/Splunk/6.4.0/RESTREF/RESTconf and then fire off a debug/refresh.

0 Karma

csimp2033
Explorer

I attempted this and I could not figure out a way to get this to work.

0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...