Reporting

Rest API to re-trigger report using saved search with spaces and special characters possible?

dondky
Path Finder

Hello all, we have an app we built that queries active directory to send login reports for all our administrators. The report is scheduled via cron to run at 6AM and guess what our license expired during the night causing the reports not to run. As a result I've been tasked with figuring out how to re-trigger these reports. We have 1 report sent out for each Administrator in our organization. Let's say around 300 or so.

Here is what I've done so far. My first step was to get the saved searches title:

| rest /servicesNS/-/ourcustomapp/saved/searches splunk_server=local | table title

I exported this to csv so I could use curl + the shell to loop through the title and hopefully re-trigger these alerts based on saved searches title.

Well it wasn't that easy.

Some accounts are simple and work such as "JohnDoe", but we have some accounts that are "Jane Austin (server administrator)" so we have spaces ( characters and what not.

So I attempted to write a script that takes each of the saved search names above and send them through like so:

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/domainadminalerts/saved/searches/JohnDoe/dispatch -d trigger_actions=1

This works, for JohnDoe, but passing in

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/domainadminalerts/saved/searches/"Jane Austin (server administrator)"/dispatch -d trigger_actions=1

Fails, Does this need to be URL encoded? Please let me know if I'm on the right path to this.

Thanks

Tags (1)
0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust

Yes that is it. When I use the REST API I need to specify %20 for spaces. So add some code to replace %20 for the space in your saved search name.

To see the encoding you can go to the list of saved searches (Settings -> Searches and Reports) then click on your search as if to edit. You will see the URL. For example for myserver.com with a saved search of the name "my search with spaces" I see the URL below. I can see the spaces got encoded to %20

http://myserver.com:8000/splunk/en-US/manager/search/saved/searches/my%20search%20with%20spaces?acti...

View solution in original post

burwell
SplunkTrust
SplunkTrust

Yes that is it. When I use the REST API I need to specify %20 for spaces. So add some code to replace %20 for the space in your saved search name.

To see the encoding you can go to the list of saved searches (Settings -> Searches and Reports) then click on your search as if to edit. You will see the URL. For example for myserver.com with a saved search of the name "my search with spaces" I see the URL below. I can see the spaces got encoded to %20

http://myserver.com:8000/splunk/en-US/manager/search/saved/searches/my%20search%20with%20spaces?acti...

dondky
Path Finder

Thanks I suspected so. Time to do some replacements!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, the REST API endpoint is in fact a URL so special characters such as space, hyphen etc would need to be URL encoded.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...