Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use curl to overwrite host or query of an alert

Eline
Engager
‎10-22-2021 08:42 AM

How to use curl to overwrite host or query of an alert

i was testing the below for example where i need to overwrite the SPL inside of a alert . Ideally i just want to overwrite the  host in the SPL query and another variable . However it seems i need to overwrite the full query 

 

 

 

 

curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE   -d cron_schedule="31 17 * * *" search="index=mlc_live | stats count(host) by host"

 

 

 

 

 

Labels (2)
Labels
0 Karma
Reply

Eline
Engager
‎10-25-2021 07:51 AM

it is true the command will not fails after adding missing -d .
now the command is triggered with no error but the query is not overwriting the orginal search & cron schedule is not updated 

 

curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE -d cron_schedule="54 16 * * *" -d search="index=mlc_live | stats count(host) by host"

 


am i missing something?

i thought that using curl i will be able to update the schedule and the query of an existing alert . but the items posted are not reflected in configuraiton of the alert 

Eline_0-1635173938067.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-25-2021 01:59 PM

I don't have any experience updating a search using curl so I can tell what, if anything, you're missing.  Sorry.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2021 11:21 AM

The example POST at https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D implies that you only need to specify the fields you want to change.

Perhaps you just need a -d before "search=".

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...