Splunk Enterprise

How to change save searches/alert cron_schedule with rest api/bash?

LovepreetSingh
New Member

Hello, I am trying to change cron_schedule of saved searches/alerts by calling REST API URI in a bash script. I am reading cron_schedule, search title and app name from a CSV file. CURL commands with working fine to change cron_schedule for all the private searches/alerts. but in case of Global searches/alert, It makes a private copy of that global search and changes the cron_schedule of that one, not the original one. I want to change the schedule of both local and global searches/alerts without creating a private copy of the global one. 

 

#! /bin/bash

INPUT=data.csv
OLDIFS=$IFS
IFS=','
[ ! -f $INPUT ] && {
echo "$INPUT file not found"
exit 99;
}
echo "-----------------------------------------------------" >> output.txt
while read app cron search_name
do
SEARCH=${search_name// /%20}

QUERY="https://localhost:8089/servicesNS/admin/$app/saved/searches/$SEARCH"

echo $QUERY >> output.txt
echo -e "\n---------------------------------------------------------\n"
echo -e "---Search Name-->$search_name"
echo -e "---Rest API URI-->$QUERY"

curl -i -k -u <admin_user>:<password> $QUERY -d cron_schedule=$cron -d output_mode=json >> response.txt

done < $INPUT

IFS=$OLDIFS

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

maybe this is too late for you, but for other who have same issue, here is fix for it.

When you are using /servicesNS/admin/$app/... you are targeting to admin user's private context. When you switches it to /servicesNS/nobody/$app/... you are targeting to app shared context. 

You could fix your script with changing QUERY to 

QUERY="https://localhost:8089/servicesNS/nobody/$app/saved/searches/$SEARCH"

Also you must check if there are any other characters in your Alerts/Savedsearch's names than space which needs to escape (like : ). Just do escape also to those.

Here is my own issue with this same subject https://community.splunk.com/t5/Alerting/Why-can-t-I-change-alert-with-REST-It-change-permission-fro...

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...