Splunk Enterprise

How to change save searches/alert cron_schedule with rest api/bash?

LovepreetSingh
New Member

Hello, I am trying to change cron_schedule of saved searches/alerts by calling REST API URI in a bash script. I am reading cron_schedule, search title and app name from a CSV file. CURL commands with working fine to change cron_schedule for all the private searches/alerts. but in case of Global searches/alert, It makes a private copy of that global search and changes the cron_schedule of that one, not the original one. I want to change the schedule of both local and global searches/alerts without creating a private copy of the global one. 

 

#! /bin/bash

INPUT=data.csv
OLDIFS=$IFS
IFS=','
[ ! -f $INPUT ] && {
echo "$INPUT file not found"
exit 99;
}
echo "-----------------------------------------------------" >> output.txt
while read app cron search_name
do
SEARCH=${search_name// /%20}

QUERY="https://localhost:8089/servicesNS/admin/$app/saved/searches/$SEARCH"

echo $QUERY >> output.txt
echo -e "\n---------------------------------------------------------\n"
echo -e "---Search Name-->$search_name"
echo -e "---Rest API URI-->$QUERY"

curl -i -k -u <admin_user>:<password> $QUERY -d cron_schedule=$cron -d output_mode=json >> response.txt

done < $INPUT

IFS=$OLDIFS

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

maybe this is too late for you, but for other who have same issue, here is fix for it.

When you are using /servicesNS/admin/$app/... you are targeting to admin user's private context. When you switches it to /servicesNS/nobody/$app/... you are targeting to app shared context. 

You could fix your script with changing QUERY to 

QUERY="https://localhost:8089/servicesNS/nobody/$app/saved/searches/$SEARCH"

Also you must check if there are any other characters in your Alerts/Savedsearch's names than space which needs to escape (like : ). Just do escape also to those.

Here is my own issue with this same subject https://community.splunk.com/t5/Alerting/Why-can-t-I-change-alert-with-REST-It-change-permission-fro...

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...