Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not able to diable alert using curl command

akanksha01
New Member
‎04-28-2025 08:43 AM

Hi Team,

I am using following CURL command

curl -k -u admin:password -X POST https://<host>:<port>/servicesNS/akanksha_goel1/search/saved/searches/Clickstream-Microsurvey-Failure-Alert-Rule-Dev -d "disabled=1" --max-time 60 -H "Content-Type: application/x-www-form-urlencoded"

But I am getting error as
Error: read ECONNRESET

kindly help us resolve the issue!

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-28-2025 01:50 PM

Connection reset means that the other end either completely refused to connect or for some reason decided that the connection is erroneous and closed it abruptly.

It is fairly uncommon for a HTTP server to properly respond to a request and close the connection abruptly like that (although it's not unheard of) - typically the server, even if the HTTP response contains an errorcode, closes the connection gracefully. Also in such case you'd see some response.

So it's more probable that either the TLS handshake is terminated due to some error in connection negotiation or there is some network-level problem or you are simply connecting to a wrong port.

The easiest way to troubleshoot would be to check network traffic on both ends during such curl request.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-28-2025 09:09 AM

Hi @akanksha01 

The ECONNRESET error indicates that the TCP connection was abruptly closed by the Splunk server or an intermediary network device (like a firewall or load balancer) before the request could be fully processed or the response sent. The curl command syntax itself for disabling the saved search appears correct.

Troubleshooting steps:

  1. Verify Network Connectivity: Ensure the IP and port (typically 8089 for the Splunk management port) are correct and reachable from the machine running the curl command. Check for firewalls or network ACLs that might be blocking or resetting the connection at either source or destination.
  2. Check Splunk Server Status: Ensure the Splunk instance is running and responsive, are you able to reach the instance using netcat from your source?
  3. Examine Splunk Logs: Check the$SPLUNK_HOME/var/log/splunk/splunkd.log on the Splunk server for any errors occurring around the time you ran the curl command. This might provide clues about why the server closed the connection.
  1. Check Intermediary Devices: If you are connecting through a load balancer or proxy, check its logs and configuration. It might have shorter timeouts or specific rules causing the connection reset.
  2. Simplify the Request: Try the request without --max-time 60 initially to rule out timeout interactions, although disabling an alert should be very fast. You could also apply -v to provide a more verbose output.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...