Solved: Re: How to use TA-webtools to disable multiple ale...

ips_mandar · ‎07-07-2022

HI,

I want to disable multiple alerts/reports using curl (TA-webtools)..so basically my results look like below-

title	app	id
report1	app1	https://abc.com:8089/servicesNS/nobody/app1/saved/searches/report1
report2	app2	https://abc.com:8089/servicesNS/nobody/app2/saved/searches/report2
report3	app3	https://abc.com:8089/servicesNS/nobody/app3/saved/searches/report3

How I can disable all id alert/reports in single query?

any help is appreciated!

@jkat54

ips_mandar · ‎07-11-2022

Below is the spl how I achieved it-

...| eval url_string= id."/disable"
|map search="| curl uri=$url_string$ method=POST splunkauth=true"

ips_mandar · ‎07-11-2022

Below is the spl how I achieved it-

...| eval url_string= id."/disable"
|map search="| curl uri=$url_string$ method=POST splunkauth=true"

ips_mandar · ‎07-11-2022

Thanks @jkat54 I was able to do using map command

jkat54 · ‎07-08-2022

You could do this using the urifield option and eval. Here's an example below:

Using the urifield option
| makeresults count=1
| eval uri="https://localhost:8089/services"
| curl method=get urifield=uri

no reason you can't do something like

| makeresults count=3
| streamstats count

| eval uri="https://abc.com:8089/app".count."/report".count"

How to use TA-webtools to disable multiple alerts/reports?