All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Web Tools Add-On: How to reschedule saved searches

Goesta
Explorer
‎08-04-2019 02:56 AM

I’m trying to figure out a way to update the cron schedule of a saved search using this add-on,
but I’m not really getting anywhere – could someone kindly advise, please?

While this:

| curl
method=GET
user=THEUSER pass=THEPASSWORD
uri=https://localhost:8089/services/saved/searches/THESAVEDSEARCH

returns an XML response just nicely, trying this: 

| makeresults count=1 
| eval message="{'cron_schedule':'00 09 * * *'}" 
| curl
uri=https://localhost:8089/servicesNS/reports/search/saved/searches/THESAVEDSEARCH
user=THEUSER pass=THEPASSWORD
method=post
datafield=message

will return an error (btw, splunkauth doesn’t seem to work for us):

“<msg type="ERROR">Argument "{'cron_schedule':'00 09 * * *'}" is not supported by this handler.</msg>”

Also trying to create an URI that directly addresses the saved/searches/{name}/reschedule endpoint fails in any combination I’ve been trying

So, if you have an idea what I’m doing wrong, I’d appreciate any hints 🙂
(btw, we’re using Splunk 7.1.4)

Have a nice day,
Gösta

Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-04-2019 05:45 AM

Hey, you'll need to escape the quotes on the eval in order to pass proper json.

| eval message="{\"jsonQuoted\":\"True\"}"

For example

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-04-2019 05:45 AM

Hey, you'll need to escape the quotes on the eval in order to pass proper json.

| eval message="{\"jsonQuoted\":\"True\"}"

For example

Reply
Solved! Jump to solution

Goesta
Explorer
‎08-04-2019 11:02 PM

While Splunk won't run the query on the updated schedule (yet), which I'll still need to figure out, GETting the saved search now correctly reflects the changes POSTed using this command.
Thanks for the swift response, I appreciate it!

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-05-2019 05:24 AM

You may need to hit an endpoint that reloads the configs such as the one linked to from :8000/debug/refresh

Or there's also a "bump" endpoint.

Reply
Solved! Jump to solution

herbie_53
Explorer
‎08-06-2019 01:34 AM

Hi,
changing the URI made it work..

uri=https://localhost:8089/servicesNS/nobody/{App Name}/saved/searches/{Saved Search Name}

The report Goesta and I are talking about is shared globally but owned by a specific user. However, looking at the reports page and hovering the link led us to the solution above:

https://localhost:8000/en-US/app/{App Name}/report?s=%2FservicesNS%2Fnobody%2F{App Name}%2Fsaved%2Fsearches%2F{Saved Search Name}

Might just be us not exactly knowing how Splunk stores the config for knowledge objects but could be helpful for others to understand I guess.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-04-2019 05:46 AM

Also version 1.2.3 had a bug in non-splunkauth connections such as the one you're using. I fixed that last week in version 1.2.4.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...