As part of automation, we needed to insert entire "SavedSearches" file via API. We have done manually/successfully by using the method: https://community.splunk.com/t5/Getting-Data-In/How-do-you-create-saved-search-using-REST-API-call/m...
But looking for a method so that we can insert something the file as such, not individual fields like..
curl -i -X POST https://${hostname}:8089/services/saved/searches \
--data-binary "@path/to/file"
Any idea how to do this?
=====
Ideas I've tried, so far is to => To split the savedsearches.conf into individual fields & then insert via -d
When I tried to parse the "ini" file using simple configParser, it threw error like below. Seems the splunk conf is NOT purely a configParser compatible 😞
{"msg": "An unhandled exception occurred while running the lookup plugin 'ini'. Error was a <class 'configparser.DuplicateOptionError'>, original message: While reading from '<???>' [line 22]: option '| eval usage' in section 'test' already exists"}
The sample i've used is below
[test]
alert.digest_mode = 1
alert.expires = 7d
counttype = number of events
alert.suppress = 1
alert.suppress.period = 4h
alert.track = 1
action.email.sendresults = 1
action.email.inline = 1
cron_schedule = 3,33 * * * *
description = You have used 80% of your disk capacity.
disabled = 1
enableSched = 1
quantity = 0
relation = greater than
search = | rest splunk_server_group=dmc_group_* /services/server/status/partitions-space \
| eval free = if(isnotnull(available), available, free) \
| eval usage = capacity - free \
| eval pct_usage = floor(usage / capacity * 100) \
| where pct_usage > 80 \
| stats first(fs_type) as fs_type first(capacity) AS capacity first(usage) AS usage first(pct_usage) AS pct_usage by splunk_server, mount_point \
| eval usage = round(usage / 1024, 2) \
| eval capacity = round(capacity / 1024, 2) \
| rename splunk_server AS Instance mount_point as "Mount Point", fs_type as "File System Type", usage as "Usage (GB)", capacity as "Capacity (GB)", pct_usage as "Usage (%)"
