11/22/2023 0 Comments Splunk saved searchIf the issue described here is truly due to permissions/capabilities, the solution is also with permissions/capabilities, and not changes to the provider to ignore certain settings if/when the Terraform account doesn't have sufficient permissions to perform the operation. Local changes getting ignored violates that concept. Terraform should detect drift and revert it. Creating it in Terraform and editing it locally isn't something that will give you long term success for many reasons. If the managed resource needs schedule_priority, the account Terraform uses needs to have that capability. I'll create a PR for that.Ī resource should be entirely managed by Terraform or entirely unmanaged by Terraform. I think simply not saving this parameter into the state should fix it. This request will fail now because you dont have the edit_search_schedule_priority capability. If there is now any update on the search, the update requests will contain schedule_priority="default". The managerid relates to an existing search, saved search. ![]() Terraform will read this default value and write it back into the state. These are also included with Splunk and are included by default in the RequireJS declaration. Also, search for the field tag, with the format: tag::.It requires lots of memory since each level of the tree must be saved into. rest /services/saved/searches search title rename title AS 'Title', description AS 'Description', al. Uninformed Search Algorithms with AI, Artificial Intelligence, Tutorial. I used below queries, but did not give proper results. But basically I have relatively complex searches that I dont want to manage in 1 report with joins or. Hi Everyone, I would like to list all the alerts that are setup by users not by splunk apps like ITSI/DMC using REST API. sources, source types, saved searches, and event types. Is it possible to merge the results from different saved searches in splunk I have come across 2 similar questions while trying to find a result: how to get a single report by evaluating 3 saved searches and merging results from 3 searches. If you dont set it in terraform, it will be left empty therefor Splunk is setting it to "default" on its own. When searching for strings and quoted strings (anything thats not a search modifier), Splunk software searches the raw field for the matching events or results. I was running this as an id with the Admin role that should see all Apps. the below search format with a set of scheduled saved searches that populate lookup tables. They match the saved searches in the search App. How to add multiple queries in one search in Splunk. Name name)) // Create a saved search testSearch await savedSearches.CreateAsync(name, search indexsdk-tests earliest-1m) // Dispatch the saved. I got 36 results and eai:acl.app had 'search' for all 36 of them. eai:acl.app matches what should show the Splunk App that the saved searches come from. If you dont have this, your requests to the api are not allowed to even have this field. rest /services/saved/searches table to see all the fields. In order to set or update the schedule_priority field you need to have the have the edit_search_schedule_priority capability in Splunk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |