Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24
Path Finder
‎03-28-2016 02:26 PM

Hello,

I'm trying to set up a curl script to enable/disable a search under "Searches, reports, and alerts" when an alert is triggered. I've done some searching on the boards and found the example below, but it's not working for me.

curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"

Basically, a curl or CLI command that will drop a check mark in the box in the screen shot for me so I can script that out would solve my issue.

Anyone have any suggestions?

alt text

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎03-28-2016 03:33 PM

Hi @sidekix24,
Here is some documentation on the script alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Runscriptaction

As of software version 6.3, the script alert action is deprecated, just FYI. You might want to consider a custom alert action as an alternative:
http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

This documentation on the saved/searches/{name} endpoint might also help with updating the search scheduling as part of the alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution

sidekix24
Path Finder
‎03-30-2016 01:41 PM

Even a command to enable/disable the saved search would solve my issue 🙂

Thanks again

0 Karma
Reply
Solved! Jump to solution
Solution

frobinson_splun
Splunk Employee
Splunk Employee
‎03-28-2016 03:33 PM

Hi @sidekix24,
Here is some documentation on the script alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Runscriptaction

As of software version 6.3, the script alert action is deprecated, just FYI. You might want to consider a custom alert action as an alternative:
http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

This documentation on the saved/searches/{name} endpoint might also help with updating the search scheduling as part of the alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D

Hope this helps!

Reply
Solved! Jump to solution

sidekix24
Path Finder
‎03-30-2016 11:27 AM

Thank you,

Is there something that needs to be enabled to run these commands?

In the output, I get the message below. The output doesn't match what I expect to see compared to the output in documents.

Splunk relies on JavaScript to function properly.
Please enable JavaScript and then refresh the page to login.

0 Karma
Reply
Solved! Jump to solution

sidekix24
Path Finder
‎03-30-2016 12:10 PM

ok...I'm getting a little further but need some assistance if someone can help.

I'm running the command below:

-k -u admin:pass -XPOST https://splunk.server/en-US/account/login?return_to=%2Fen-US%2Fmanager%2Flauncher%2Fsaved%2Fsearches...

And I'm getting this in return:

{"status":1}

I've tried enabling and disabling the status of the saved search in "Searches, reports, and alerts" but that status doesn't change every time I run that command, it stays at {"status":1}.

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎03-30-2016 03:56 PM

Hi @sidekix24,
Thanks for the follow-up. Sounds like something is not quite right. I'm going to run your questions by some of my colleagues. I'll report back ASAP!

0 Karma
Reply
Solved! Jump to solution

sidekix24
Path Finder
‎04-01-2016 08:50 AM

Thank you...your colleagues come back with anything yet?

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎04-01-2016 10:20 AM

Thanks for hanging in there. Can you confirm that the URL you posted above is the one you're using? I'm curious about what happens if/when you use the saved/searches/{name_of_your_search} endpoint that I mentioned above in the REST documentation...

Importantly, be sure to specify the name of the saved search that you want to schedule as part of the URL you are using here.

For example, one of my colleagues posted this example:

curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"

eg

curl -ku admin:changeme https://localhost:8089/servicesNS/admin/seach/saved/searches/foobar -d "is_scheduled=0"

in this older Answers post that I think might help:
https://answers.splunk.com/answers/174869/how-to-disable-scheduled-searches-via-command-line.html

0 Karma
Reply
Solved! Jump to solution

sidekix24
Path Finder
‎04-06-2016 09:21 AM

frobinson,

I got it working. My endpoints were incorrect for the saved searches. Once I fixed those, the whole process came together and worked. I was able to successfully build a script to trigger a second search then another script to disable that search once it sends out the "all clear" message.

Thanks for the help

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top