Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change save searches/alert cron_schedule with rest api/bash?

LovepreetSingh
New Member
‎07-15-2021 06:55 AM

Hello, I am trying to change cron_schedule of saved searches/alerts by calling REST API URI in a bash script. I am reading cron_schedule, search title and app name from a CSV file. CURL commands with working fine to change cron_schedule for all the private searches/alerts. but in case of Global searches/alert, It makes a private copy of that global search and changes the cron_schedule of that one, not the original one. I want to change the schedule of both local and global searches/alerts without creating a private copy of the global one. 

 

#! /bin/bash

INPUT=data.csv
OLDIFS=$IFS
IFS=','
[ ! -f $INPUT ] && {
echo "$INPUT file not found"
exit 99;
}
echo "-----------------------------------------------------" >> output.txt
while read app cron search_name
do
SEARCH=${search_name// /%20}

QUERY="https://localhost:8089/servicesNS/admin/$app/saved/searches/$SEARCH"

echo $QUERY >> output.txt
echo -e "\n---------------------------------------------------------\n"
echo -e "---Search Name-->$search_name"
echo -e "---Rest API URI-->$QUERY"

curl -i -k -u <admin_user>:<password> $QUERY -d cron_schedule=$cron -d output_mode=json >> response.txt

done < $INPUT

IFS=$OLDIFS

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-12-2023 04:33 AM

Hi

maybe this is too late for you, but for other who have same issue, here is fix for it.

When you are using /servicesNS/admin/$app/... you are targeting to admin user's private context. When you switches it to /servicesNS/nobody/$app/... you are targeting to app shared context. 

You could fix your script with changing QUERY to 

QUERY="https://localhost:8089/servicesNS/nobody/$app/saved/searches/$SEARCH"

Also you must check if there are any other characters in your Alerts/Savedsearch's names than space which needs to escape (like : ). Just do escape also to those.

Here is my own issue with this same subject https://community.splunk.com/t5/Alerting/Why-can-t-I-change-alert-with-REST-It-change-permission-fro...

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...