Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to disable an email alert for a single saved search through CLI or Rest API?

csimp2033
Explorer
‎04-20-2016 01:54 PM

I am trying to automate the silencing and un-silencing of a single email alert. Is there a way to do this through the CLI or the Rest API? I have yet to find a way that has worked.

I need to be able to do this either via the command line or through a very simple application.

I am currently trying to use curl. I have tried the following command: 

curl -k -u admin:pass https://localhost:8089/servicesNS/<user>/<app>/saved/searches/<search name> -d "is_scheduled=false"

However it returns:

<response>
  <messages>
    <msg type="ERROR">
 In handler 'savedsearch': Cannot find saved search with name '<search name>' .</msg>
  </messages>
</response>

I started looking through the savedsearches.conf of the user and the search that was there is now gone and is not present in any of the other savedsearches.conf files on my server yet it shows up in the web portal.

Reply
1 Solution
Solved! Jump to solution
Solution

csimp2033
Explorer
‎04-22-2016 11:51 AM

I figured it out. The reason that the curl command was not working was because the search was in the nobody user's saved search conf file rather than the user that created the saved search. Also the -d "is_scheduled=false" needed to be -d "is_scheduled=0"

View solution in original post

Reply
Solved! Jump to solution

pretzel2
Path Finder
‎12-18-2017 05:38 AM

Is a Splunk restart required after making this call?

0 Karma
Reply
Solved! Jump to solution

shawngarrettsgp
Path Finder
‎12-18-2017 07:54 AM

for disabling/enabling an alert, no not at all.

0 Karma
Reply
Solved! Jump to solution

mzorzi
Splunk Employee
Splunk Employee
‎04-26-2017 07:53 AM

You need to use -d actions="".

Example this creates the search with alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/ -d name=zzzsrch -d search=* -d is_scheduled=1 -d cron_schedule="*/2 * * * *" -d actions=email -d action.email.to="zzz@ssss.com" | grep -E "action.email\"|action.email.to"

This disable the alert:

curl -ku admin:matteo https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/zzzsrch -d actions="" | grep -E "action.email\"|action.email.to"

0 Karma
Reply
Solved! Jump to solution
Solution

csimp2033
Explorer
‎04-22-2016 11:51 AM

I figured it out. The reason that the curl command was not working was because the search was in the nobody user's saved search conf file rather than the user that created the saved search. Also the -d "is_scheduled=false" needed to be -d "is_scheduled=0"

Reply
Solved! Jump to solution

dolivasoh
Contributor
‎04-20-2016 09:46 PM

You could possibly re-write the config using http://docs.splunk.com/Documentation/Splunk/6.4.0/RESTREF/RESTconf and then fire off a debug/refresh.

0 Karma
Reply
Solved! Jump to solution

csimp2033
Explorer
‎04-21-2016 10:26 AM

I attempted this and I could not figure out a way to get this to work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...