Getting Data In

How to enable and disable Rest End Point?

vaibhavagg2006
Communicator

Hi Experts
I am trying to disable an alert using below rest API example provided in the documentation. It returns back a XML response with all the attributes of the alert but do not disable the alert.

Example:-
    curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/TestSearch/ \
          disable -X POST

My curl command
curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/disable

Reference :- http://docs.splunk.com/Documentation/Splunk/6.6.5/RESTUM/RESTusing

Any inputs, what is wrong here?

Tags (2)
0 Karma

cmakepeace_nfcu
Loves-to-Learn

I would look further look into the namespace that is required to reach the saved search you are trying to disable.
https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTUM/RESTusing#Namespace

As most likely is that the rest endpoint either doesn't have access to that search or is just creating a new search that its disabling automatically but is never hitting the originating saved search.

If this saved search name is unique an easy way to edit this search is by the following command:

curl -k -u admin:pass https://localhost:8089/servicesNS/-/-/saved/searches/TestSearch/ \
          disable -X POST

As this will be looking over over all levels of access (private,app,global) for the saved search that matches TestSearch.

0 Karma

p_gurav
Champion

Can you try :

curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/ \ disable
0 Karma

vaibhavagg2006
Communicator

Thanks for your input but unfortunately This throws curl: (6) Could not resolve host: disable; Unknown error

0 Karma

inventsekar
Super Champion

instead of "server", can you try "localhost"?!?! or the full servername (FQDN, like abc.mycompany.com)

curl -X POST -k -u admin:xxx https://localhost:9099/servicesNS/admin/search/saved/searches/test1234/ \ disable
PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

vaibhavagg2006
Communicator

I guess the issue is not with the server name. The following Curl returns back the XML output but the alert is not disabling.

curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/disable
0 Karma

inventsekar
Super Champion

try...
curl -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/ disable -X POST

I think the "\" is for entering the command on the next line.. maybe, use it and see if it works..

curl -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/ \
disable -X POST
PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

vaibhavagg2006
Communicator

No luck..The status of alert remains unchanged... Is this working in your environment. I am using Splunk 6.6.5

0 Karma

inventsekar
Super Champion

i am currently not having access to prod to test this.. ok, maybe, lets try to see if you are able to view the Access Control List of this search -

List the ACL properties of this alert -

curl -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/acl

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

vaibhavagg2006
Communicator

Yes, I got the following xml back.

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:9099/servicesNS/admin/search/saved/searches</id>
  <updated>2018-08-21T18:14:10+05:30</updated>
  <generator build="b119a2a8b0ad" version="6.6.5"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/saved/searches/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>test1234</title>
    <id>https://localhost:9099/servicesNS/admin/search/saved/searches/test1234</id>
    <updated>2018-08-21T13:54:46+05:30</updated>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/embed" rel="embed"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/enable" rel="enable"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>
0 Karma

inventsekar
Super Champion

just now i noticed this... are you using 8089 or 9089 ?

curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/disable

OR

curl -X POST -k -u admin:xxx https://server:8089/servicesNS/admin/search/saved/searches/test1234/disable

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

inventsekar
Super Champion

Maybe, try this...

To disable email for an alert
curl -k -u admin:pass https://splunkserver:8089/servicesNS/nobody/search/saved/searches/MyAlert1 -d "actions="

To enable email for an alert
curl -k -u admin:pass https://splunkserver:8089/servicesNS/nobody/search/saved/searches/MyAlert1 -d "actions=email"
PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

vaibhavagg2006
Communicator

I am using my management port which is 9099

0 Karma

vaibhavagg2006
Communicator

Found an interesting thing.. When we hit the disable endpoint, Splunk creates another alert with same name and same search,with private permission and disables it..

0 Karma

inventsekar
Super Champion

so, when you hit the disable endpoint, totally, you get two alerts.. one is enabled and one is disabled... in total, its the enabled one is still sending alerts?!?!?

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

vaibhavagg2006
Communicator

yes thats right.. This is what I see in the Splunk UI.

0 Karma

inventsekar
Super Champion

this behavior looks strange... i dont know..maybe someone else can reply to you regarding this..
as this is really a strange behavior, you can consult splunk support.

(PS - you can upvote for comments as well 😉 .. at times, new users may think that only "answers" can be upvoted. so clarifying 😉 )

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

vaibhavagg2006
Communicator

Thanks for reminding about the up vote.

I will try to reach out to splunk and raise this as a bug.

0 Karma

vaibhavagg2006
Communicator

Update- It works on the private alert but not on the shared alert.

0 Karma

inventsekar
Super Champion

nice to know that it worked as private alert..

on shared alert.. not sure.. maybe, that is how the "shared alerts" maybe designed.
one thought.. "shared" to others with just read access or write/edit access to the alert?!?!

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...