I'm attempting with 2 REST calls: 1 to get the list of searches, and 1 to POST is_scheduled = 0.
is_scheduled = 0
The list curl command I'm using is:
curl -sku admin:pass https://localhost:8089/servicesNS/baduser/-/saved/searches?count=0
Then I'd like to step through each returned with this curl template:
curl -sku admin:pass https://localhost:8089/servicesNS/baduser/$APP/saved/searches/$SEARCHNAME -d is_scheduled=0
But Splunk is cloning the search, not disabling the schedule. I get the original, and a private copy with no schedule.
I'm missing something basic about the way the API works. Help?
The list command is borked. It lists all searches baduser can see. Not what baduser owns. Bah!
Partial answer: If I use nobody in the username slot in the POST command, it works.