Report with parameter action.email Splunk API / Sp...

fst01 · ‎09-23-2021

Hello Community

I have some troubles with the option "action.email" in a saved search. I want to create a report with the Splunk API and set the available parameter "action.email" to "true" / "1" (because the default value is false).

I tried it like the below query, but it's not working as expected. After executing it's always the default value (false) and Splunk didn't changed it to "true" or "1":

curl -k -u <splunk_username>:<splunk_password> https://<splunk_ip>:<splunk_mgmt-port>/servicesNS/<user>/<app>/saved/searches -d name=Test_Report -d action.email=1 --data-urlencode -d search="<splunk_query>"

In a second step I tried to edit the report directly in Splunk Web -> Search, Reports, and Alerts -> testReport -> Advanced Edit. But everytime after I saved the report with the new parameter "action.email = 1" it looks like Splunk is reseting this value back to "false".

In my behavior., Splunk only saves the value "true" consistent after I edited the savedsearches.conf file.

Can you please help my with this problem?

Thanks

Report with parameter action.email Splunk API / Splunk Web

using Splunk Enterprise

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Report with parameter action.email Splunk API / Splunk Web

using Splunk Enterprise

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0