- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't figure out how to POST a Report
I'm stuck with an old Splunk system 8.1.5 and trying to move Alerts and Reports to a new system (9 something).
I figured maybe I could use the API, GET works:
curl -k -u myusername:mypassword https://vs-iapp001.local:8089/services/saved/searches/GerrysTestReport -H "Authorization: Bearer mytoken"
which returns a lot of XML that I save in a file called GerrysTestReport.xml
Then I deleted my report and now I'm trying to recreate it using POST
curl -X POST -k -u myusername:mypassword https://vs-iapp001.local:8089/servicesNS/splunk/App/saved/searches/_new/GerrysTestReport -H "Authorization: Bearer mytoken" --data-urlencode @GerrysTestReport.xml
Unfortunately it just returns errors like "Action forbidden"
The parameters URL are just too complicated to figure out, and I have tried many, many combinations. Nothing works. My account is an admin account and I have every available privilege
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone have a working example?
Some of the parameters of the URL I don't understand 'App' (what is an example of an App?); why is it being uploaded to "search" when it's an alert?
Where are these stored in the file system? I can't find them.
