Other Usage

Why can't I change alert with REST- It change permission from app to private?

isoutamo
SplunkTrust
SplunkTrust

Hi

We have lot of alert where we need to change alert.email.to recipients to new one. Those alerts are in SHC and those are done within years directly with GUI. So I cannot manually edit those files on OS level and I don't want to redistributed those with Deployer unless there haven't been any other option.

Basically I can change that, but the issue is that it change hiddenly some other attributes which I cannot set with REST POST method. There seems to be at least own old unanswered questions already somehow touching this issue: https://community.splunk.com/t5/Splunk-Enterprise/Changed-save-searches-alert-cron-schedule-with-res...

What I have done:

 

 

| rest /servicesNS/-/-/saved/searches 
| search disabled = 0 AND action.email = 1 AND is_scheduled = 1
| search action.email.to = "*<an old email>*"
| search title = "*SPLUNK:Alarm testing Clone*"
| rename eai:acl.owner as acl_owner, eai:acl.app as acl_app, eai:acl.sharing as acl_sharing
| eval URL1 = replace(replace(title, " ", "%20"),":", "%3A")
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/" + acl_owner + "/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| fields URL

 

 

This gives to me a shell command to run it for that individual alert ($PASS contains user:pass pair).

When I run that 

 

 

curl -vku $PASS -X POST "https://localhost:8089/servicesNS/<user>/alerts_splunk/saved/searches/SPLUNK%3AAlarm%20testing%20Clone -d action.email.to="f.s@some.domain"

 

 

 It runs as expected, but when I do this query

 

 

| rest /servicesNS/-/-/saved/searches splunk_server=splunk-shc*
| search NOT eai:acl.app IN (splunk_instrumentation splunk_rapid_diag splunk_archiver splunk_monitoring_console splunk_app_db_connect splunk_app_aws Splunk_TA_aws SplunkAdmins Splunk_ML_Toolkit trackme)
| rename "alert.track" as alert_track
| eval type=case(alert_track=1, "alert", (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", 1==1, "report")
| fields title type eai:acl.app is_scheduled description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule disabled splunk_server *
| search title = "SPLUNK:alarm testing Clone"
| sort eai:acl.app title splunk_server
| fields eai:acl.app title splunk_server type *
| search splunk_server = "*-b-*"
| transpose
| where 'row 1' != 'row 2'

 

 

I got that instead of changed action.email.to I have private Report with that new action.email.to field!

It has  eai:acl.sharing as private and is_scheduled = 0 instead of 1. Basically that means that now I have a new private report instead of updated alert!

Any hints / advised, how to do this with rest will take thankfully!

r. Ismo

 

 

 

Labels (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Thanks to @gjanders for pointing out, that when you are using /servicesNS/<user>/.... then you targeting this to a private content and when you are using /servicesNS/nobody/.... then it's in shared contex inside app. 

This fix my issue

....
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/nobody/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| ....

And if you don't want to go to command line to run those curl commands you could install TA-webtools app to do all in SPL. 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Thanks to @gjanders for pointing out, that when you are using /servicesNS/<user>/.... then you targeting this to a private content and when you are using /servicesNS/nobody/.... then it's in shared contex inside app. 

This fix my issue

....
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/nobody/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| ....

And if you don't want to go to command line to run those curl commands you could install TA-webtools app to do all in SPL. 

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...