How to use curl to overwrite host or query of an ...

Eline · ‎10-22-2021

How to use curl to overwrite host or query of an alert

i was testing the below for example where i need to overwrite the SPL inside of a alert . Ideally i just want to overwrite the host in the SPL query and another variable . However it seems i need to overwrite the full query

curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE   -d cron_schedule="31 17 * * *" search="index=mlc_live | stats count(host) by host"

Eline · ‎10-25-2021

it is true the command will not fails after adding missing -d .
now the command is triggered with no error but the query is not overwriting the orginal search & cron schedule is not updated

curl -k -u dev_admin:devadmin https://localhost:8089/servicesNS/admin/lookup_editor/saved/searches/KPI_Alert_TEMPLATE -d cron_schedule="54 16 * * *" -d search="index=mlc_live | stats count(host) by host"

am i missing something?

i thought that using curl i will be able to update the schedule and the query of an existing alert . but the items posted are not reflected in configuraiton of the alert

richgalloway · ‎10-25-2021

I don't have any experience updating a search using curl so I can tell what, if anything, you're missing. Sorry.

---
If this reply helps you, an upvote would be appreciated.

richgalloway · ‎10-22-2021

The example POST at https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D implies that you only need to specify the fields you want to change.

Perhaps you just need a -d before "search=".

---
If this reply helps you, an upvote would be appreciated.

How to use curl to overwrite host or query of an alert

alert action

alert condition