Solved: How to enable/disable a saved search using Python ...

bollam · ‎01-05-2018

Can someone assist me in how to enable and disable the saved searches using python SDK?
I have gone through the docs of python SDK and got how to create and delete but where in I was looking for enabling and disabling the saved searches. Prompt response would be highly appreciated.

paramagurukarth · ‎01-08-2018

Please try below..

import splunklib.client as client

HOST = "localhost"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme"

service = client.connect(
    host=HOST,
    port=PORT,
    username=USERNAME,
    password=PASSWORD)

for ss in service.saved_searches:
    print ss.name
    ss.disable()

View solution in original post

bollam · ‎01-17-2018

Hi @paramagurukarthikeyan, How do we enable/disable the saved search which contains the special character in it? I'm getting error while trying enable/disable saved search. Saved search I'm trying to disable is "Testing@#splunk". I'm able to create the saved search with this name but disable is not working. Can you help on this as well?

bollam · ‎01-21-2018

Any luck??

bollam · ‎01-08-2018

@ paramagurukarthikeyan, Thanks much!! Its working as expected.

paramagurukarth · ‎01-15-2018

Always Welcome

paramagurukarth · ‎01-08-2018

Please try below..

import splunklib.client as client

HOST = "localhost"
PORT = 8089
USERNAME = "admin"
PASSWORD = "changeme"

service = client.connect(
    host=HOST,
    port=PORT,
    username=USERNAME,
    password=PASSWORD)

for ss in service.saved_searches:
    print ss.name
    ss.disable()

cmerriman · ‎01-05-2018

do you mean turning on or off a schedule?

bollam · ‎01-07-2018

Yes, Exactly

harsmarvania57 · ‎01-05-2018

Hi @bollam,

Can you please try below python code for disabling saved search

import splunk.rest as rest
rest.simpleRequest('/servicesNS/<USER>/<APPNAME>/saved/searches/<YOURSEARCH>', sessionKey=sessionKey, postargs={'disabled': 1}, method='POST', raiseAllErrors=True)

And to enable it again

import splunk.rest as rest
rest.simpleRequest('/servicesNS/<USER>/<APPNAME>/saved/searches/<YOURSEARCH>', sessionKey=sessionKey, postargs={'disabled': 0}, method='POST', raiseAllErrors=True)

bollam · ‎01-07-2018

Hi @harsmarvania57 ,
I have written code snippet for a basic query validation. Upon successful validation, It should either create, delete, enable or disable the saved search I provide. It was working for creating and deleting the saved search but I'm finding hard to enable or disable the saved search using python SDK. Is there a way to disable or enable the saved search using python SDK?

harsmarvania57 · ‎01-08-2018

What's your code snippet ? Have you tried code which I have given in my first comment ?

How to enable/disable a saved search using Python SDK?

Enterprise Security Content Update (ESCU) v3.54.0

Using Machine Learning for Hunting Security Threats

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...