Community:Search Report: How to create, alter, and delete searches using REST calls

From Splunk Wiki

Jump to: navigation, search

creating and altering searches and alerts manually can be a tedious and time consuming process via the UI. As a Splunk administrator, you may find it preferable to do these tasks programmatically for a variety of reasons. Here are some examples:

1. If you create a search and save it as an Alert through the UI, there is no option to set it to trigger every time it is run. It is necessary to actually go to "Settings > Searches, reports, and alerts" to set the "Always" parameter.

2. There could be third party systems which require automated creation or alteration of searches based upon observed activities.

3. There could be a need to change run times or the duration search results are kept for a large number of searches.

These are just some of the reasons an admin may want to use REST calls to manage searches and alerts. Here are some useful calls I have identified. In my examples, I used the name of "AAsearch-test" for my search so it will be displayed at the top of my screen in Splunkweb. I also used the "admin" user for all my testing and search creation.

  • Run a search:

curl -u admin:password -k https://cm:8089/services/search/jobs -d search="search index=_internal source=*splunkd.log earliest=-10s"


  • Create a private search for a user (For a non-admin enter the users name after servicesNS/):

curl -k -u admin:password https://cm:8089/servicesNS/admin/search/saved/searches/ -d name=AAsearch-test -d search="search index=_internal source=*splunkd.log earliest=-10s"


  • Change a private search (For a non-admin enter the users name after servicesNS/):

curl -k -u admin:password https://cm:8089/servicesNS/admin/search/saved/searches/AAsearch-test/ -d search="search index=_internal source=*splunkd.log earliest=-10s"

curl -k -u admin:password https://cm:8089/servicesNS/admin/search/saved/searches/AAsearch-test/ -d search="search index=_internal source=*metrics.log earliest=-5s"


  • Convert a private search for a user to a search associated to an App:

curl -k -u admin:password https://cm:8089/servicesNS/admin/search/saved/searches/AAsearch-test/acl -d perms.read=* -d owner=admin -d sharing=app


  • Change a public search (This is really just using a different endpoint):

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test -d search="search index=_internal source=*splunkd.log earliest=-10s"


  • Disable a search:

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test -d disabled=1

  • Set an alert to run regardless of the number of results (set always):

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test -d alert_type=always

  • Set the severity:

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test -d alert.severity=2


  • Set a variety of parameters with default alert_type of always:

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test -d action.email.useNSSubject=1 -d alert.suppress=0 -d alert.track=1 -d auto_summarize.dispatch.earliest_time=-1d@h -d cron_schedule="* * * * *" -d is_scheduled=1 -d alert.severity=4 -d alert.expires=13m


  • To set number of events on which to trigger:

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test -d alert_type="number of events" -d alert_comparator="greater than" -d alert_threshold=17


  • Three lines which can be used in a script to create a search, set permissions, and assign multiple parameters:

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches -d name=AAsearch-test -d search="search index=_internal source=*splunkd.log earliest=-10s lsdkjfasfoiewoaeriov"

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test/acl -d perms.read=* -d owner=admin -d sharing=app

curl -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test -d action.email.useNSSubject=1 -d alert.suppress=0 -d alert.track=1 -d auto_summarize.dispatch.earliest_time=-1d@h -d cron_schedule="* * * * *" -d is_scheduled=1 -d alert.severity=5


  • Delete a search:

curl --request DELETE -k -u admin:password https://cm:8089/servicesNS/nobody/search/saved/searches/AAsearch-test

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk