Hi

We have lot of alert where we need to change alert.email.to recipients to new one. Those alerts are in SHC and those are done within years directly with GUI. So I cannot manually edit those files on OS level and I don't want to redistributed those with Deployer unless there haven't been any other option.

Basically I can change that, but the issue is that it change hiddenly some other attributes which I cannot set with REST POST method. There seems to be at least own old unanswered questions already somehow touching this issue: https://community.splunk.com/t5/Splunk-Enterprise/Changed-save-searches-alert-cron-schedule-with-res...

What I have done:

| rest /servicesNS/-/-/saved/searches 
| search disabled = 0 AND action.email = 1 AND is_scheduled = 1
| search action.email.to = "*<an old email>*"
| search title = "*SPLUNK:Alarm testing Clone*"
| rename eai:acl.owner as acl_owner, eai:acl.app as acl_app, eai:acl.sharing as acl_sharing
| eval URL1 = replace(replace(title, " ", "%20"),":", "%3A")
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/" + acl_owner + "/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| fields URL

This gives to me a shell command to run it for that individual alert ($PASS contains user:pass pair).

When I run that 

curl -vku $PASS -X POST "https://localhost:8089/servicesNS/<user>/alerts_splunk/saved/searches/SPLUNK%3AAlarm%20testing%20Clone -d action.email.to="f.s@some.domain"

 It runs as expected, but when I do this query

| rest /servicesNS/-/-/saved/searches splunk_server=splunk-shc*
| search NOT eai:acl.app IN (splunk_instrumentation splunk_rapid_diag splunk_archiver splunk_monitoring_console splunk_app_db_connect splunk_app_aws Splunk_TA_aws SplunkAdmins Splunk_ML_Toolkit trackme)
| rename "alert.track" as alert_track
| eval type=case(alert_track=1, "alert", (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", 1==1, "report")
| fields title type eai:acl.app is_scheduled description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule disabled splunk_server *
| search title = "SPLUNK:alarm testing Clone"
| sort eai:acl.app title splunk_server
| fields eai:acl.app title splunk_server type *
| search splunk_server = "*-b-*"
| transpose
| where 'row 1' != 'row 2'

I got that instead of changed action.email.to I have private Report with that new action.email.to field!

It has  eai:acl.sharing as private and is_scheduled = 0 instead of 1. Basically that means that now I have a new private report instead of updated alert!

Any hints / advised, how to do this with rest will take thankfully!

r. Ismo