ERROR">Cannot perform action "POST" without a targ...

damode1 · ‎08-30-2023

I need to run a curl command to run various tasks such as creating searches, accessing searches etc.

I have the below command which works perfectly

curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ \
 -d name=test_durable \
 -d cron_schedule="*/15 * * * *" \
 -d description="This test job is a durable saved search" \
 -d dispatch.earliest_time="-15h@h" -d dispatch.latest_time=now \
 --data-urlencode search="search index=_audit sourcetype=audittrail | stats count by host"

but given that I may have to craft various curl commands with different -d flags, I want to be able to pass values through a file so I used below command

curl -k -u admin:test12345 https://127.0.0.1:8089/services/saved/searches/ --data-binary data.json

where data.json looks like this

{
    "name": "test_durable",
    "cron_schedule": "*/15 * * * *",
    "description": "This test job is a durable saved search",
    "dispatch.earliest_time": "-15h@h",
    "dispatch.latest_time": "now",
    "search": "search index=_audit sourcetype=audittrail | stats count by host"
}

but in doing so I get following error

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">Cannot perform action "POST" without a target name to act on.</msg>
  </messages>
</response>

So after going through lot of different posts on this topic, I realised Splunk seems to have problem with json format or mainly extracting the 'name' attribute from json format.

Can someone please assist with how I can craft Curl command that uses data from a file like I am using above and get correct response from Splunk ?

ERROR">Cannot perform action "POST" without a target name to act on

development

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?