Splunk Enterprise

Changed save searches/alert cron_schedule with rest api/bash

New Member

Hello, I am trying to change cron_schedule of saved searches/alerts by calling REST API URI in a bash script. I am reading cron_schedule, search title and app name from a CSV file. CURL commands with working fine to change cron_schedule for all the private searches/alerts. but in case of Global searches/alert, It makes a private copy of that global search and changes the cron_schedule of that one, not the original one. I want to change the schedule of both local and global searches/alerts without creating a private copy of the global one. 


#! /bin/bash

[ ! -f $INPUT ] && {
echo "$INPUT file not found"
exit 99;
echo "-----------------------------------------------------" >> output.txt
while read app cron search_name
SEARCH=${search_name// /%20}


echo $QUERY >> output.txt
echo -e "\n---------------------------------------------------------\n"
echo -e "---Search Name-->$search_name"
echo -e "---Rest API URI-->$QUERY"

curl -i -k -u <admin_user>:<password> $QUERY -d cron_schedule=$cron -d output_mode=json >> response.txt

done < $INPUT


Labels (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!