I'm trying to create a saved search with following
kwargs = {
'description': 'failed auth',
'is_scheduled' : True,
'cron_schedule' : '*/5 * * * *',
'start_time' : 'rt-5s@s',
'end_time' : 'rt+5s@s'
It gives following error:
HTTPError: HTTP 400 Bad Request --
In handler 'savedsearch': Argument "start_time" is not supported by this handler.
I've also tried earliest_time
and latest_time
but with no luck. Please help.
Thanks in advance!
Instead of using as you did, the following will work.
kwargs = {
'description': 'failed auth',
'is_scheduled' : True,
'cron_schedule' : '*/5 * * * *',
'dispatch.earliest_time' : 'rt-5s@s',
'dispatch.latest_time' : 'rt+5s@s'
}
This works for me. I plan to do more fine tuned filter.
Instead of using as you did, the following will work.
kwargs = {
'description': 'failed auth',
'is_scheduled' : True,
'cron_schedule' : '*/5 * * * *',
'dispatch.earliest_time' : 'rt-5s@s',
'dispatch.latest_time' : 'rt+5s@s'
}
I think you need to use scheduled_times and arguments to it as part of your kwargs
From the Python SDK Docs for saved searches :
class splunklib.client.SavedSearch(service, path, **kwargs)
This class represents a saved search.
scheduled_times(earliest_time='now', latest_time='+1h') Returns the times when this search is scheduled to run.
By default this method returns the times in the next hour. For different time ranges, set earliest_time and latest_time. For example, for all times in the last day use “earliest_time=-1d” and “latest_time=now”.
Parameters: earliest_time (string) – The earliest time. latest_time (string) – The latest time. Returns: The list of search times.
Solved
kwargs = {
'description': 'failed auth',
'is_scheduled' : True,
'cron_schedule' : '*/5 * * * *',
'dispatch.earliest_time' : 'rt-5s@s',
'dispatch.latest_time' : 'rt+5s@s'
}