Other Usage

Why can't I change alert with REST- It change permission from app to private?

isoutamo
SplunkTrust
SplunkTrust

Hi

We have lot of alert where we need to change alert.email.to recipients to new one. Those alerts are in SHC and those are done within years directly with GUI. So I cannot manually edit those files on OS level and I don't want to redistributed those with Deployer unless there haven't been any other option.

Basically I can change that, but the issue is that it change hiddenly some other attributes which I cannot set with REST POST method. There seems to be at least own old unanswered questions already somehow touching this issue: https://community.splunk.com/t5/Splunk-Enterprise/Changed-save-searches-alert-cron-schedule-with-res...

What I have done:

 

 

| rest /servicesNS/-/-/saved/searches 
| search disabled = 0 AND action.email = 1 AND is_scheduled = 1
| search action.email.to = "*<an old email>*"
| search title = "*SPLUNK:Alarm testing Clone*"
| rename eai:acl.owner as acl_owner, eai:acl.app as acl_app, eai:acl.sharing as acl_sharing
| eval URL1 = replace(replace(title, " ", "%20"),":", "%3A")
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/" + acl_owner + "/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| fields URL

 

 

This gives to me a shell command to run it for that individual alert ($PASS contains user:pass pair).

When I run that 

 

 

curl -vku $PASS -X POST "https://localhost:8089/servicesNS/<user>/alerts_splunk/saved/searches/SPLUNK%3AAlarm%20testing%20Clone -d action.email.to="f.s@some.domain"

 

 

 It runs as expected, but when I do this query

 

 

| rest /servicesNS/-/-/saved/searches splunk_server=splunk-shc*
| search NOT eai:acl.app IN (splunk_instrumentation splunk_rapid_diag splunk_archiver splunk_monitoring_console splunk_app_db_connect splunk_app_aws Splunk_TA_aws SplunkAdmins Splunk_ML_Toolkit trackme)
| rename "alert.track" as alert_track
| eval type=case(alert_track=1, "alert", (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", 1==1, "report")
| fields title type eai:acl.app is_scheduled description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule disabled splunk_server *
| search title = "SPLUNK:alarm testing Clone"
| sort eai:acl.app title splunk_server
| fields eai:acl.app title splunk_server type *
| search splunk_server = "*-b-*"
| transpose
| where 'row 1' != 'row 2'

 

 

I got that instead of changed action.email.to I have private Report with that new action.email.to field!

It has  eai:acl.sharing as private and is_scheduled = 0 instead of 1. Basically that means that now I have a new private report instead of updated alert!

Any hints / advised, how to do this with rest will take thankfully!

r. Ismo

 

 

 

Labels (3)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Thanks to @gjanders for pointing out, that when you are using /servicesNS/<user>/.... then you targeting this to a private content and when you are using /servicesNS/nobody/.... then it's in shared contex inside app. 

This fix my issue

....
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/nobody/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| ....

And if you don't want to go to command line to run those curl commands you could install TA-webtools app to do all in SPL. 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Thanks to @gjanders for pointing out, that when you are using /servicesNS/<user>/.... then you targeting this to a private content and when you are using /servicesNS/nobody/.... then it's in shared contex inside app. 

This fix my issue

....
| eval URL = "curl -ku $PASS -X POST \"https://localhost:8089/servicesNS/nobody/" + acl_app + "/saved/searches/" + URL1 + "\" -d action.email.to=\"<the new email>\""
| ....

And if you don't want to go to command line to run those curl commands you could install TA-webtools app to do all in SPL. 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...