I can GET the definition of a saved search (report) from our dev server with a call like
curl -k -u me:word https://splunk-for-dev:8089/serviceNS/me/my-app/saved/searches/my-report
How do I use the resulting XML/JSON to POST to our prod server? The closest that I've found is something like
curl -k -u me:word https://splunk-for-prod:8089/serviceNS/me/my-app/saved/searches \
-d name=my-report -d search=...
But that means going through the XML/JSON and working out which are the non-default values and a whole lot of text munging. Surely there is a way that I can just post the XML/JSON that I've already got?
Sometimes back I did like below, I basically had to write a python code to achieve this, I am posting a sample code,
Please note that its a very primitive code where exception handling is not proper and code modularise is not there. Let me briefly explain what it does,
I haven't handle the scenario where if the alert exists it should update otherwise it should create a new alert. I think that should be easy to implement.
import requests as req
import json
import shlex
import subprocess
def get_alert_dtl_frm_splunk(requestURL,parameters,auth):
response=req.get(url=requestURL,params=parameters,verify=False,auth=auth)
if response.status_code !=200:
print('Status: ',response.status_code,'Headers: ',response.headers,'Error Response: ',response.json())
exit()
data=response.json()
return json.dumps(data)
def main():
#preparing the data for get request
requestURL = 'https://localhost:8089/servicesNS/admin/tmdb/saved/searches/demo'
params = (('output_mode', 'json'),)
auth=('admin', 'monitor!')
#get the alert json from one splunk instance
data = get_alert_dtl_frm_splunk(requestURL,params,auth)
data = json.loads(data)
alert_content_json = data["entry"][0]["content"]
#print(data)
#post to splunk
alert_content_json["name"] = "Sid"
cmd ='curl -k -u admin:monitor! https://localhost:8089/servicesNS/admin/tmdb/saved/searches';
cmd = cmd + " --data-urlencode name=" + alert_content_json["name"] #as first argument of curl has to be name
key_list = ["alert.severity","alert.suppress","alert.track","alert_type","cron_schedule","is_scheduled","alert_threshold","alert_comparator","search"] #need to do this as cUrl command is not able to send the full payload
for key in alert_content_json.keys():
if key in key_list:
value = str(alert_content_json[key])
value = value.replace("\"","\"\"")
value = value.replace("\\n","\\")
cmd = cmd + " --data-urlencode " + key + '="' + value + "\""
#print(cmd)
args = shlex.split(cmd)
process = subprocess.call(args, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
main()
@Rikh Did you got this problem solved? If yes can you please post a solution here .
Do you know how to write an API call to get the result in UI?