Alerting

How to set up a curl script to enable a scheduled search when an alert is triggered?

sidekix24
Path Finder

Hello,

I'm trying to set up a curl script to enable/disable a search under "Searches, reports, and alerts" when an alert is triggered. I've done some searching on the boards and found the example below, but it's not working for me.

curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"

Basically, a curl or CLI command that will drop a check mark in the box in the screen shot for me so I can script that out would solve my issue.

Anyone have any suggestions?

alt text

0 Karma
1 Solution

frobinson_splun
Splunk Employee
Splunk Employee

Hi @sidekix24,
Here is some documentation on the script alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Runscriptaction

As of software version 6.3, the script alert action is deprecated, just FYI. You might want to consider a custom alert action as an alternative:
http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

This documentation on the saved/searches/{name} endpoint might also help with updating the search scheduling as part of the alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D

Hope this helps!

View solution in original post

sidekix24
Path Finder

Even a command to enable/disable the saved search would solve my issue 🙂

Thanks again

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @sidekix24,
Here is some documentation on the script alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Runscriptaction

As of software version 6.3, the script alert action is deprecated, just FYI. You might want to consider a custom alert action as an alternative:
http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

This documentation on the saved/searches/{name} endpoint might also help with updating the search scheduling as part of the alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.3/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D

Hope this helps!

sidekix24
Path Finder

Thank you,

Is there something that needs to be enabled to run these commands?

In the output, I get the message below. The output doesn't match what I expect to see compared to the output in documents.

Splunk relies on JavaScript to function properly.
Please enable JavaScript and then refresh the page to login.

0 Karma

sidekix24
Path Finder

ok...I'm getting a little further but need some assistance if someone can help.

I'm running the command below:

-k -u admin:pass -XPOST https://splunk.server/en-US/account/login?return_to=%2Fen-US%2Fmanager%2Flauncher%2Fsaved%2Fsearches...

And I'm getting this in return:

{"status":1}

I've tried enabling and disabling the status of the saved search in "Searches, reports, and alerts" but that status doesn't change every time I run that command, it stays at {"status":1}.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @sidekix24,
Thanks for the follow-up. Sounds like something is not quite right. I'm going to run your questions by some of my colleagues. I'll report back ASAP!

0 Karma

sidekix24
Path Finder

Thank you...your colleagues come back with anything yet?

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Thanks for hanging in there. Can you confirm that the URL you posted above is the one you're using? I'm curious about what happens if/when you use the saved/searches/{name_of_your_search} endpoint that I mentioned above in the REST documentation...

Importantly, be sure to specify the name of the saved search that you want to schedule as part of the URL you are using here.

For example, one of my colleagues posted this example:

curl -ku admin:changeme https://localhost:8089/servicesNS///saved/searches/ -d "is_scheduled=0"

eg

curl -ku admin:changeme https://localhost:8089/servicesNS/admin/seach/saved/searches/foobar -d "is_scheduled=0"

in this older Answers post that I think might help:
https://answers.splunk.com/answers/174869/how-to-disable-scheduled-searches-via-command-line.html

0 Karma

sidekix24
Path Finder

frobinson,

I got it working. My endpoints were incorrect for the saved searches. Once I fixed those, the whole process came together and worked. I was able to successfully build a script to trigger a second search then another script to disable that search once it sends out the "all clear" message.

Thanks for the help

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...