Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is API change not updated in web page?

MScottFoley
Path Finder
‎01-05-2023 09:57 AM

I updated an alert description using the REST API (port 8089).  When I use the API to list the description it shows the updated description.  When I look at the alert using the web page (port 8000) it still has the old version.  There are multiple instances of Splunk and a load balancer, but I do not know the specifics.  I always use the same IP address to access Splunk.    

For the API access I use a token under my username.  Is my token the problem?  My user has enough rights to create and change alerts.  Although when I list all alerts using |rest/servicesNS/-/-/saved/searches I get a warning Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability

Thanks.  

Labels (1)
Labels
0 Karma
Reply

MScottFoley
Path Finder
‎01-05-2023 12:26 PM

It may be the way I am accessing Splunk through the API.  I am using my user since the API token is for my user.    $"{splunkBaseUrl}/servicesNS/{user}/search/saved/searches/";

There is documentation that says to use https://<host>:<mPort>/services/alerts/alert_actions.  I think I had tried that before and could not get it to work with the API token I was using at least.  

I will try using a different endpoint.

 

0 Karma
Reply

MScottFoley
Path Finder
‎01-05-2023 11:10 AM

Thanks Rich,

I thought it could be the cluster.  If I update the alert from one computer and then look at it from another (on a different network) it is updated on both.  Viewing the alert using the API does not show the change though.  It's like the API is changing and reading a local version of the alert.  I have asked internally about this problem too.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2023 10:13 AM

If the Splunk instances are a Search Head cluster then changes made to one should be reflected in the others within a few minutes at most.  Sometimes, page caches can cause old data to be displayed.  Try holding down the shift key as you refresh the page.  If that doesn't help, clear your browser cache or use incognito mode.

You can use the splunk_server=local option to the rest command to suppress that warning.  Saved searches are only on the SH, anyway, so there's no need to send the request to the indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Top