Reporting

Rest API to re-trigger report using saved search with spaces and special characters possible?

dondky
Path Finder

Hello all, we have an app we built that queries active directory to send login reports for all our administrators. The report is scheduled via cron to run at 6AM and guess what our license expired during the night causing the reports not to run. As a result I've been tasked with figuring out how to re-trigger these reports. We have 1 report sent out for each Administrator in our organization. Let's say around 300 or so.

Here is what I've done so far. My first step was to get the saved searches title:

| rest /servicesNS/-/ourcustomapp/saved/searches splunk_server=local | table title

I exported this to csv so I could use curl + the shell to loop through the title and hopefully re-trigger these alerts based on saved searches title.

Well it wasn't that easy.

Some accounts are simple and work such as "JohnDoe", but we have some accounts that are "Jane Austin (server administrator)" so we have spaces ( characters and what not.

So I attempted to write a script that takes each of the saved search names above and send them through like so:

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/domainadminalerts/saved/searches/JohnDoe/dispatch -d trigger_actions=1

This works, for JohnDoe, but passing in

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/domainadminalerts/saved/searches/"Jane Austin (server administrator)"/dispatch -d trigger_actions=1

Fails, Does this need to be URL encoded? Please let me know if I'm on the right path to this.

Thanks

Tags (1)
0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust

Yes that is it. When I use the REST API I need to specify %20 for spaces. So add some code to replace %20 for the space in your saved search name.

To see the encoding you can go to the list of saved searches (Settings -> Searches and Reports) then click on your search as if to edit. You will see the URL. For example for myserver.com with a saved search of the name "my search with spaces" I see the URL below. I can see the spaces got encoded to %20

http://myserver.com:8000/splunk/en-US/manager/search/saved/searches/my%20search%20with%20spaces?acti...

View solution in original post

burwell
SplunkTrust
SplunkTrust

Yes that is it. When I use the REST API I need to specify %20 for spaces. So add some code to replace %20 for the space in your saved search name.

To see the encoding you can go to the list of saved searches (Settings -> Searches and Reports) then click on your search as if to edit. You will see the URL. For example for myserver.com with a saved search of the name "my search with spaces" I see the URL below. I can see the spaces got encoded to %20

http://myserver.com:8000/splunk/en-US/manager/search/saved/searches/my%20search%20with%20spaces?acti...

dondky
Path Finder

Thanks I suspected so. Time to do some replacements!

0 Karma

somesoni2
Revered Legend

Yes, the REST API endpoint is in fact a URL so special characters such as space, hyphen etc would need to be URL encoded.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...