Reporting

How to disable schedules for all searches for a particular user?

twinspop
Influencer

I'm attempting with 2 REST calls: 1 to get the list of searches, and 1 to POST is_scheduled = 0.

The list curl command I'm using is:

curl -sku admin:pass https://localhost:8089/servicesNS/baduser/-/saved/searches?count=0

Then I'd like to step through each returned with this curl template:

curl -sku admin:pass https://localhost:8089/servicesNS/baduser/$APP/saved/searches/$SEARCHNAME -d is_scheduled=0

But Splunk is cloning the search, not disabling the schedule. I get the original, and a private copy with no schedule.

I'm missing something basic about the way the API works. Help?

0 Karma

twinspop
Influencer

The list command is borked. It lists all searches baduser can see. Not what baduser owns. Bah!

0 Karma

twinspop
Influencer

Partial answer: If I use nobody in the username slot in the POST command, it works.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...