Can't figure out how to POST a Report

gerrysr6 · ‎07-10-2023

I'm stuck with an old Splunk system 8.1.5 and trying to move Alerts and Reports to a new system (9 something).

I figured maybe I could use the API, GET works:

curl -k -u myusername:mypassword https://vs-iapp001.local:8089/services/saved/searches/GerrysTestReport -H "Authorization: Bearer mytoken"

which returns a lot of XML that I save in a file called GerrysTestReport.xml

Then I deleted my report and now I'm trying to recreate it using POST

curl -X POST -k -u myusername:mypassword https://vs-iapp001.local:8089/servicesNS/splunk/App/saved/searches/_new/GerrysTestReport -H "Authorization: Bearer mytoken" --data-urlencode @GerrysTestReport.xml

Unfortunately it just returns errors like "Action forbidden"

The parameters URL are just too complicated to figure out, and I have tried many, many combinations. Nothing works. My account is an admin account and I have every available privilege

gerrysr6 · ‎07-13-2023

Does anyone have a working example?

Some of the parameters of the URL I don't understand 'App' (what is an example of an App?); why is it being uploaded to "search" when it's an alert?

Where are these stored in the file system? I can't find them.

Can't figure out how to POST a Report

XML

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?