我想使用Splunk的REST API创建警报。我希望警报能够获取最近两分钟内发生的事件。我该怎么办?
这是我到目前为止的提醒:
curl -k -u admin:password https://my.company:8089/servicesNS/admin/search/saved/searches \
-d name=test7 \
--data-urlencode output_mode='json' \
--data-urlencode actions='' \
--data-urlencode alert.digest_mode='1' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='3' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='' \
--data-urlencode alert.suppress.period='5m' \
--data-urlencode alert.track='1' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='10' \
--data-urlencode alert_type='number of events' \
--data-urlencode allow_skew='0' \
--data-urlencode cron_schedule='*/2 * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode search='sourcetype="auth" failed'
答案 0 :(得分:0)
您要在Splunk's documentation中寻找的参数是dispatch.earliest_time和dispatch.latest_time。
这是您添加了参数的请求。它将查找最近2分钟内的事件:
curl -k -u admin:password https://my.company:8089/servicesNS/admin/search/saved/searches \
-d name=test7 \
--data-urlencode output_mode='json' \
--data-urlencode actions='' \
--data-urlencode alert.digest_mode='1' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='3' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='' \
--data-urlencode alert.suppress.period='5m' \
--data-urlencode alert.track='1' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='10' \
--data-urlencode alert_type='number of events' \
--data-urlencode allow_skew='0' \
--data-urlencode cron_schedule='*/2 * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='-2m' \
--data-urlencode dispatch.latest_time='now' \
--data-urlencode search='sourcetype="auth" failed'