Hello, I am trying to change cron_schedule of saved searches/alerts by calling REST API URI in a bash script. I am reading cron_schedule, search title and app name from a CSV file. CURL commands with working fine to change cron_schedule for all the private searches/alerts. but in case of Global searches/alert, It makes a private copy of that global search and changes the cron_schedule of that one, not the original one. I want to change the schedule of both local and global searches/alerts without creating a private copy of the global one.
#! /bin/bash
INPUT=data.csv
OLDIFS=$IFS
IFS=','
[ ! -f $INPUT ] && {
echo "$INPUT file not found"
exit 99;
}
echo "-----------------------------------------------------" >> output.txt
while read app cron search_name
do
SEARCH=${search_name// /%20}
QUERY="https://localhost:8089/servicesNS/admin/$app/saved/searches/$SEARCH"
echo $QUERY >> output.txt
echo -e "\n---------------------------------------------------------\n"
echo -e "---Search Name-->$search_name"
echo -e "---Rest API URI-->$QUERY"
curl -i -k -u <admin_user>:<password> $QUERY -d cron_schedule=$cron -d output_mode=json >> response.txt
done < $INPUT
IFS=$OLDIFS
Hi
maybe this is too late for you, but for other who have same issue, here is fix for it.
When you are using /servicesNS/admin/$app/... you are targeting to admin user's private context. When you switches it to /servicesNS/nobody/$app/... you are targeting to app shared context.
You could fix your script with changing QUERY to
QUERY="https://localhost:8089/servicesNS/nobody/$app/saved/searches/$SEARCH"
Also you must check if there are any other characters in your Alerts/Savedsearch's names than space which needs to escape (like : ). Just do escape also to those.
Here is my own issue with this same subject https://community.splunk.com/t5/Alerting/Why-can-t-I-change-alert-with-REST-It-change-permission-fro...
r. Ismo