Alerting

How to use curl to overwrite host or query of an alert

Eline
Engager

How to use curl to overwrite host or query of an alert

i was testing the below for example where i need to overwrite the SPL inside of a alert . Ideally i just want to overwrite the  host in the SPL query and another variable . However it seems i need to overwrite the full query 

 

 

 

 

curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE   -d cron_schedule="31 17 * * *" search="index=mlc_live | stats count(host) by host"

 

 

 

 

 

Labels (2)
0 Karma

Eline
Engager

it is true the command will not fails after adding missing -d .
now the command is triggered with no error but the query is not overwriting the orginal search & cron schedule is not updated 

 

curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE -d cron_schedule="54 16 * * *" -d search="index=mlc_live | stats count(host) by host"

 


am i missing something?

i thought that using curl i will be able to update the schedule and the query of an existing alert . but the items posted are not reflected in configuraiton of the alert 

Eline_0-1635173938067.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't have any experience updating a search using curl so I can tell what, if anything, you're missing.  Sorry.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The example POST at https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D implies that you only need to specify the fields you want to change.

Perhaps you just need a -d before "search=".

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...