Splunk REST API - 如何向保存的搜索添加额外字段?
Splunk REST API - How to add an extra field to a saved search?
我想创建一个提醒,其中应该有一个额外的“选定字段”- uri_path。我不知道如何将该字段添加为“选定字段”。我该怎么做?
这是我当前的代码:
curl -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches \
-d name=http1 \
--data-urlencode output_mode='json' \
--data-urlencode actions='' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='4' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='uri_path' \
--data-urlencode alert.suppress.period='5m' \
--data-urlencode alert.track='1' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='10' \
--data-urlencode alert_type='number of events' \
--data-urlencode allow_skew='0' \
--data-urlencode cron_schedule='*/2 * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='-2m' \
--data-urlencode dispatch.latest_time='now' \
--data-urlencode search='sourcetype="auth" failed'
您要找的参数是display.events.fields。这会将字段添加到“选定字段”。
这是你的代码,参数正确:
curl -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches \
-d name=http1 \
--data-urlencode output_mode='json' \
--data-urlencode actions='' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='4' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='uri_path' \
--data-urlencode alert.suppress.period='5m' \
--data-urlencode alert.track='1' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='10' \
--data-urlencode alert_type='number of events' \
--data-urlencode allow_skew='0' \
--data-urlencode cron_schedule='*/2 * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='-2m' \
--data-urlencode dispatch.latest_time='now' \
--data-urlencode display.events.fields='["host","source","sourcetype","uri_path"]' \
--data-urlencode search='sourcetype="auth" failed'
我想创建一个提醒,其中应该有一个额外的“选定字段”- uri_path。我不知道如何将该字段添加为“选定字段”。我该怎么做?
这是我当前的代码:
curl -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches \
-d name=http1 \
--data-urlencode output_mode='json' \
--data-urlencode actions='' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='4' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='uri_path' \
--data-urlencode alert.suppress.period='5m' \
--data-urlencode alert.track='1' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='10' \
--data-urlencode alert_type='number of events' \
--data-urlencode allow_skew='0' \
--data-urlencode cron_schedule='*/2 * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='-2m' \
--data-urlencode dispatch.latest_time='now' \
--data-urlencode search='sourcetype="auth" failed'
您要找的参数是display.events.fields。这会将字段添加到“选定字段”。
这是你的代码,参数正确:
curl -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches \
-d name=http1 \
--data-urlencode output_mode='json' \
--data-urlencode actions='' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='4' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='uri_path' \
--data-urlencode alert.suppress.period='5m' \
--data-urlencode alert.track='1' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='10' \
--data-urlencode alert_type='number of events' \
--data-urlencode allow_skew='0' \
--data-urlencode cron_schedule='*/2 * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='-2m' \
--data-urlencode dispatch.latest_time='now' \
--data-urlencode display.events.fields='["host","source","sourcetype","uri_path"]' \
--data-urlencode search='sourcetype="auth" failed'