Hello,
I'm trying to set up a curl script to enable/disable a search under "Searches, reports, and alerts" when an alert is triggered. I've done some searching on the boards and found the example below, but it's not working for me.
curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"
Basically, a curl or CLI command that will drop a check mark in the box in the screen shot for me so I can script that out would solve my issue.
Anyone have any suggestions?
Hi @sidekix24,
Here is some documentation on the script alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Runscriptaction
As of software version 6.3, the script alert action is deprecated, just FYI. You might want to consider a custom alert action as an alternative:
http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
This documentation on the saved/searches/{name} endpoint might also help with updating the search scheduling as part of the alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D
Hope this helps!
Even a command to enable/disable the saved search would solve my issue 🙂
Thanks again
Hi @sidekix24,
Here is some documentation on the script alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Runscriptaction
As of software version 6.3, the script alert action is deprecated, just FYI. You might want to consider a custom alert action as an alternative:
http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
This documentation on the saved/searches/{name} endpoint might also help with updating the search scheduling as part of the alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D
Hope this helps!
Thank you,
Is there something that needs to be enabled to run these commands?
In the output, I get the message below. The output doesn't match what I expect to see compared to the output in documents.
Splunk relies on JavaScript to function properly.
Please enable JavaScript and then refresh the page to login.
ok...I'm getting a little further but need some assistance if someone can help.
I'm running the command below:
-k -u admin:pass -XPOST https://splunk.server/en-US/account/login?return_to=%2Fen-US%2Fmanager%2Flauncher%2Fsaved%2Fsearches...
And I'm getting this in return:
{"status":1}
I've tried enabling and disabling the status of the saved search in "Searches, reports, and alerts" but that status doesn't change every time I run that command, it stays at {"status":1}.
Hi @sidekix24,
Thanks for the follow-up. Sounds like something is not quite right. I'm going to run your questions by some of my colleagues. I'll report back ASAP!
Thank you...your colleagues come back with anything yet?
Thanks for hanging in there. Can you confirm that the URL you posted above is the one you're using? I'm curious about what happens if/when you use the saved/searches/{name_of_your_search} endpoint that I mentioned above in the REST documentation...
Importantly, be sure to specify the name of the saved search that you want to schedule as part of the URL you are using here.
For example, one of my colleagues posted this example:
curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"
eg
curl -ku admin:changeme https://localhost:8089/servicesNS/admin/seach/saved/searches/foobar -d "is_scheduled=0"
in this older Answers post that I think might help:
https://answers.splunk.com/answers/174869/how-to-disable-scheduled-searches-via-command-line.html
frobinson,
I got it working. My endpoints were incorrect for the saved searches. Once I fixed those, the whole process came together and worked. I was able to successfully build a script to trigger a second search then another script to disable that search once it sends out the "all clear" message.
Thanks for the help