Reporting

Rest API to re-trigger report using saved search with spaces and special characters possible?

dondky
Path Finder

Hello all, we have an app we built that queries active directory to send login reports for all our administrators. The report is scheduled via cron to run at 6AM and guess what our license expired during the night causing the reports not to run. As a result I've been tasked with figuring out how to re-trigger these reports. We have 1 report sent out for each Administrator in our organization. Let's say around 300 or so.

Here is what I've done so far. My first step was to get the saved searches title:

| rest /servicesNS/-/ourcustomapp/saved/searches splunk_server=local | table title

I exported this to csv so I could use curl + the shell to loop through the title and hopefully re-trigger these alerts based on saved searches title.

Well it wasn't that easy.

Some accounts are simple and work such as "JohnDoe", but we have some accounts that are "Jane Austin (server administrator)" so we have spaces ( characters and what not.

So I attempted to write a script that takes each of the saved search names above and send them through like so:

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/domainadminalerts/saved/searches/JohnDoe/dispatch -d trigger_actions=1

This works, for JohnDoe, but passing in

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/domainadminalerts/saved/searches/"Jane Austin (server administrator)"/dispatch -d trigger_actions=1

Fails, Does this need to be URL encoded? Please let me know if I'm on the right path to this.

Thanks

Tags (1)
0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust

Yes that is it. When I use the REST API I need to specify %20 for spaces. So add some code to replace %20 for the space in your saved search name.

To see the encoding you can go to the list of saved searches (Settings -> Searches and Reports) then click on your search as if to edit. You will see the URL. For example for myserver.com with a saved search of the name "my search with spaces" I see the URL below. I can see the spaces got encoded to %20

http://myserver.com:8000/splunk/en-US/manager/search/saved/searches/my%20search%20with%20spaces?acti...

View solution in original post

burwell
SplunkTrust
SplunkTrust

Yes that is it. When I use the REST API I need to specify %20 for spaces. So add some code to replace %20 for the space in your saved search name.

To see the encoding you can go to the list of saved searches (Settings -> Searches and Reports) then click on your search as if to edit. You will see the URL. For example for myserver.com with a saved search of the name "my search with spaces" I see the URL below. I can see the spaces got encoded to %20

http://myserver.com:8000/splunk/en-US/manager/search/saved/searches/my%20search%20with%20spaces?acti...

dondky
Path Finder

Thanks I suspected so. Time to do some replacements!

0 Karma

somesoni2
Revered Legend

Yes, the REST API endpoint is in fact a URL so special characters such as space, hyphen etc would need to be URL encoded.

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...