Alerting

Why can't I change alert with REST- It change permission from app to private?

isoutamo
SplunkTrust
SplunkTrust

Hi

We have lot of alert where we need to change alert.email.to recipients to new one. Those alerts are in SHC and those are done within years directly with GUI. So I cannot manually edit those files on OS level and I don't want to redistributed those with Deployer unless there haven't been any other option.

Basically I can change that, but the issue is that it change hiddenly some other attributes which I cannot set with REST POST method. There seems to be at least own old unanswered questions already somehow touching this issue: https://community.splunk.com/t5/Splunk-Enterprise/Changed-save-searches-alert-cron-schedule-with-res...

What I have done:

 

 

| rest /servicesNS/-/-/saved/searches 
| search disabled = 0 AND action.email = 1 AND is_scheduled = 1
| search action.email.to = "*<an old email>*"
| search title = "*SPLUNK:Alarm testing Clone*"
| rename eai:acl.owner as acl_owner, eai:acl.app as acl_app, eai:acl.sharing as acl_sharing
| eval URL1 = replace(replace(title, " ", "%20"),":", "%3A")
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/" + acl_owner + "/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| fields URL

 

 

This gives to me a shell command to run it for that individual alert ($PASS contains user:pass pair).

When I run that 

 

 

curl -vku $PASS -X POST "https://localhost:8089/servicesNS/<user>/alerts_splunk/saved/searches/SPLUNK%3AAlarm%20testing%20Clone -d action.email.to="f.s@some.domain"

 

 

 It runs as expected, but when I do this query

 

 

| rest /servicesNS/-/-/saved/searches splunk_server=splunk-shc*
| search NOT eai:acl.app IN (splunk_instrumentation splunk_rapid_diag splunk_archiver splunk_monitoring_console splunk_app_db_connect splunk_app_aws Splunk_TA_aws SplunkAdmins Splunk_ML_Toolkit trackme)
| rename "alert.track" as alert_track
| eval type=case(alert_track=1, "alert", (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", 1==1, "report")
| fields title type eai:acl.app is_scheduled description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule disabled splunk_server *
| search title = "SPLUNK:alarm testing Clone"
| sort eai:acl.app title splunk_server
| fields eai:acl.app title splunk_server type *
| search splunk_server = "*-b-*"
| transpose
| where 'row 1' != 'row 2'

 

 

I got that instead of changed action.email.to I have private Report with that new action.email.to field!

It has  eai:acl.sharing as private and is_scheduled = 0 instead of 1. Basically that means that now I have a new private report instead of updated alert!

Any hints / advised, how to do this with rest will take thankfully!

r. Ismo

 

 

 

Labels (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Thanks to @gjanders for pointing out, that when you are using /servicesNS/<user>/.... then you targeting this to a private content and when you are using /servicesNS/nobody/.... then it's in shared contex inside app. 

This fix my issue

....
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/nobody/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| ....

And if you don't want to go to command line to run those curl commands you could install TA-webtools app to do all in SPL. 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Thanks to @gjanders for pointing out, that when you are using /servicesNS/<user>/.... then you targeting this to a private content and when you are using /servicesNS/nobody/.... then it's in shared contex inside app. 

This fix my issue

....
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/nobody/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| ....

And if you don't want to go to command line to run those curl commands you could install TA-webtools app to do all in SPL. 

Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...