I can GET the definition of a saved search (report) from our dev server with a call like
curl -k -u me:word https://splunk-for-dev:8089/serviceNS/me/my-app/saved/searches/my-report
How do I use the resulting XML/JSON to POST to our prod server? The closest that I've found is something like
curl -k -u me:word https://splunk-for-prod:8089/serviceNS/me/my-app/saved/searches \ -d name=my-report -d search=...
But that means going through the XML/JSON and working out which are the non-default values and a whole lot of text munging. Surely there is a way that I can just post the XML/JSON that I've already got?
Sometimes back I did like below, I basically had to write a python code to achieve this, I am posting a sample code,
Please note that its a very primitive code where exception handling is not proper and code modularise is not there. Let me briefly explain what it does,
I haven't handle the scenario where if the alert exists it should update otherwise it should create a new alert. I think that should be easy to implement.
import requests as req import json import shlex import subprocess def get_alert_dtl_frm_splunk(requestURL,parameters,auth): response=req.get(url=requestURL,params=parameters,verify=False,auth=auth) if response.status_code !=200: print('Status: ',response.status_code,'Headers: ',response.headers,'Error Response: ',response.json()) exit() data=response.json() return json.dumps(data) def main(): #preparing the data for get request requestURL = 'https://localhost:8089/servicesNS/admin/tmdb/saved/searches/demo' params = (('output_mode', 'json'),) auth=('admin', 'monitor!') #get the alert json from one splunk instance data = get_alert_dtl_frm_splunk(requestURL,params,auth) data = json.loads(data) alert_content_json = data["entry"]["content"] #print(data) #post to splunk alert_content_json["name"] = "Sid" cmd ='curl -k -u admin:monitor! https://localhost:8089/servicesNS/admin/tmdb/saved/searches'; cmd = cmd + " --data-urlencode name=" + alert_content_json["name"] #as first argument of curl has to be name key_list = ["alert.severity","alert.suppress","alert.track","alert_type","cron_schedule","is_scheduled","alert_threshold","alert_comparator","search"] #need to do this as cUrl command is not able to send the full payload for key in alert_content_json.keys(): if key in key_list: value = str(alert_content_json[key]) value = value.replace("\"","\"\"") value = value.replace("\\n","\\") cmd = cmd + " --data-urlencode " + key + '="' + value + "\"" #print(cmd) args = shlex.split(cmd) process = subprocess.call(args, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = process.communicate() main()
@Rikh Did you got this problem solved? If yes can you please post a solution here .
Do you know how to write an API call to get the result in UI?