Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change save searches/alert cron_schedule with rest api/bash?

LovepreetSingh
New Member
‎07-15-2021 06:55 AM

Hello, I am trying to change cron_schedule of saved searches/alerts by calling REST API URI in a bash script. I am reading cron_schedule, search title and app name from a CSV file. CURL commands with working fine to change cron_schedule for all the private searches/alerts. but in case of Global searches/alert, It makes a private copy of that global search and changes the cron_schedule of that one, not the original one. I want to change the schedule of both local and global searches/alerts without creating a private copy of the global one. 

 

#! /bin/bash

INPUT=data.csv
OLDIFS=$IFS
IFS=','
[ ! -f $INPUT ] && {
echo "$INPUT file not found"
exit 99;
}
echo "-----------------------------------------------------" >> output.txt
while read app cron search_name
do
SEARCH=${search_name// /%20}

QUERY="https://localhost:8089/servicesNS/admin/$app/saved/searches/$SEARCH"

echo $QUERY >> output.txt
echo -e "\n---------------------------------------------------------\n"
echo -e "---Search Name-->$search_name"
echo -e "---Rest API URI-->$QUERY"

curl -i -k -u <admin_user>:<password> $QUERY -d cron_schedule=$cron -d output_mode=json >> response.txt

done < $INPUT

IFS=$OLDIFS

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-12-2023 04:33 AM

Hi

maybe this is too late for you, but for other who have same issue, here is fix for it.

When you are using /servicesNS/admin/$app/... you are targeting to admin user's private context. When you switches it to /servicesNS/nobody/$app/... you are targeting to app shared context. 

You could fix your script with changing QUERY to 

QUERY="https://localhost:8089/servicesNS/nobody/$app/saved/searches/$SEARCH"

Also you must check if there are any other characters in your Alerts/Savedsearch's names than space which needs to escape (like : ). Just do escape also to those.

Here is my own issue with this same subject https://community.splunk.com/t5/Alerting/Why-can-t-I-change-alert-with-REST-It-change-permission-fro...

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...