Getting Data In

How to enable and disable Rest End Point?

vaibhavagg2006
Communicator

Hi Experts
I am trying to disable an alert using below rest API example provided in the documentation. It returns back a XML response with all the attributes of the alert but do not disable the alert.

Example:-
    curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/TestSearch/ \
          disable -X POST

My curl command
curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/disable

Reference :- http://docs.splunk.com/Documentation/Splunk/6.6.5/RESTUM/RESTusing

Any inputs, what is wrong here?

Tags (2)
0 Karma

cmakepeace_nfcu
Loves-to-Learn

I would look further look into the namespace that is required to reach the saved search you are trying to disable.
https://docs.splunk.com/Documentation/Splunk/7.2.3/RESTUM/RESTusing#Namespace

As most likely is that the rest endpoint either doesn't have access to that search or is just creating a new search that its disabling automatically but is never hitting the originating saved search.

If this saved search name is unique an easy way to edit this search is by the following command:

curl -k -u admin:pass https://localhost:8089/servicesNS/-/-/saved/searches/TestSearch/ \
          disable -X POST

As this will be looking over over all levels of access (private,app,global) for the saved search that matches TestSearch.

0 Karma

p_gurav
Champion

Can you try :

curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/ \ disable
0 Karma

vaibhavagg2006
Communicator

Thanks for your input but unfortunately This throws curl: (6) Could not resolve host: disable; Unknown error

0 Karma

inventsekar
SplunkTrust
SplunkTrust

instead of "server", can you try "localhost"?!?! or the full servername (FQDN, like abc.mycompany.com)

curl -X POST -k -u admin:xxx https://localhost:9099/servicesNS/admin/search/saved/searches/test1234/ \ disable
0 Karma

vaibhavagg2006
Communicator

I guess the issue is not with the server name. The following Curl returns back the XML output but the alert is not disabling.

curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/disable
0 Karma

inventsekar
SplunkTrust
SplunkTrust

try...
curl -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/ disable -X POST

I think the "\" is for entering the command on the next line.. maybe, use it and see if it works..

curl -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/ \
disable -X POST
0 Karma

vaibhavagg2006
Communicator

No luck..The status of alert remains unchanged... Is this working in your environment. I am using Splunk 6.6.5

0 Karma

inventsekar
SplunkTrust
SplunkTrust

i am currently not having access to prod to test this.. ok, maybe, lets try to see if you are able to view the Access Control List of this search -

List the ACL properties of this alert -

curl -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/acl

0 Karma

vaibhavagg2006
Communicator

Yes, I got the following xml back.

<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
  <title>savedsearch</title>
  <id>https://localhost:9099/servicesNS/admin/search/saved/searches</id>
  <updated>2018-08-21T18:14:10+05:30</updated>
  <generator build="b119a2a8b0ad" version="6.6.5"/>
  <author>
    <name>Splunk</name>
  </author>
  <link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
  <link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
  <link href="/servicesNS/admin/search/saved/searches/_acl" rel="_acl"/>
  <opensearch:totalResults>1</opensearch:totalResults>
  <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
  <opensearch:startIndex>0</opensearch:startIndex>
  <s:messages/>
  <entry>
    <title>test1234</title>
    <id>https://localhost:9099/servicesNS/admin/search/saved/searches/test1234</id>
    <updated>2018-08-21T13:54:46+05:30</updated>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="list"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="edit"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234" rel="remove"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/move" rel="move"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/embed" rel="embed"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/enable" rel="enable"/>
    <link href="/servicesNS/admin/search/saved/searches/test1234/history" rel="history"/>
    <content type="text/xml">
      <s:dict>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">admin</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
      </s:dict>
    </content>
  </entry>
</feed>
0 Karma

inventsekar
SplunkTrust
SplunkTrust

just now i noticed this... are you using 8089 or 9089 ?

curl -X POST -k -u admin:xxx https://server:9099/servicesNS/admin/search/saved/searches/test1234/disable

OR

curl -X POST -k -u admin:xxx https://server:8089/servicesNS/admin/search/saved/searches/test1234/disable

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Maybe, try this...

To disable email for an alert
curl -k -u admin:pass https://splunkserver:8089/servicesNS/nobody/search/saved/searches/MyAlert1 -d "actions="

To enable email for an alert
curl -k -u admin:pass https://splunkserver:8089/servicesNS/nobody/search/saved/searches/MyAlert1 -d "actions=email"
0 Karma

vaibhavagg2006
Communicator

I am using my management port which is 9099

0 Karma

vaibhavagg2006
Communicator

Found an interesting thing.. When we hit the disable endpoint, Splunk creates another alert with same name and same search,with private permission and disables it..

0 Karma

inventsekar
SplunkTrust
SplunkTrust

so, when you hit the disable endpoint, totally, you get two alerts.. one is enabled and one is disabled... in total, its the enabled one is still sending alerts?!?!?

vaibhavagg2006
Communicator

yes thats right.. This is what I see in the Splunk UI.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

this behavior looks strange... i dont know..maybe someone else can reply to you regarding this..
as this is really a strange behavior, you can consult splunk support.

(PS - you can upvote for comments as well 😉 .. at times, new users may think that only "answers" can be upvoted. so clarifying 😉 )

vaibhavagg2006
Communicator

Thanks for reminding about the up vote.

I will try to reach out to splunk and raise this as a bug.

0 Karma

vaibhavagg2006
Communicator

Update- It works on the private alert but not on the shared alert.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

nice to know that it worked as private alert..

on shared alert.. not sure.. maybe, that is how the "shared alerts" maybe designed.
one thought.. "shared" to others with just read access or write/edit access to the alert?!?!

0 Karma
Get Updates on the Splunk Community!

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk &#43; Cisco joined the global celebration of CX Day - celebrating our ...