How to use curl to overwrite host or query of an alert
i was testing the below for example where i need to overwrite the SPL inside of a alert . Ideally i just want to overwrite the host in the SPL query and another variable . However it seems i need to overwrite the full query
curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE -d cron_schedule="31 17 * * *" search="index=mlc_live | stats count(host) by host"
it is true the command will not fails after adding missing -d .
now the command is triggered with no error but the query is not overwriting the orginal search & cron schedule is not updated
curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE -d cron_schedule="54 16 * * *" -d search="index=mlc_live | stats count(host) by host"
am i missing something?
i thought that using curl i will be able to update the schedule and the query of an existing alert . but the items posted are not reflected in configuraiton of the alert
I don't have any experience updating a search using curl so I can tell what, if anything, you're missing. Sorry.
The example POST at https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D implies that you only need to specify the fields you want to change.
Perhaps you just need a -d before "search=".