How to get details of a Notable event using API - eventid hash, ruleid, severity, urgency etc
How to get a Notable event from a sid and how does a Notable event relate to an Incident
Is there a way to get the related events, independent log lines that triggered the Notable event (not the summary)
curl -k -u username:password https://splunkserver:8089/servicesNS/admin/search/search/jobs/export -d search="search %60notable%60 | search eventhash=youreventhash | fields ruleid, eventhash, eventid, urgency, severity" -d "outputmode=json"
I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls. ie Notable events details and related events using an API with sid as the input parameter
I presume, you are referring to Enterprise Security App.
The system 10.11.36.20 has failed sshd authentication 44 times using 38 username(s) against 1 target(s) in the last hour
Additional Fields Value Action
Source Business Unit americas
Source Category pci
Source City Pleasanton
Source Country USA
Source IP Address 10.11.36.20
Source Expected true
Source Latitude 37.694452
Source Longitude -121.894461
Source Owner Bill_williams
Source PCI Domain trust
Source Requires Antivirus false
Source Should Time Synchronize true
Source Should Update true
Access - Excessive Failed Logins - Rule
View all review activity for this Notable Event
View all login failures by system 10.11.36.20 for the application sshd
A notable event is a Splunk term. Whenever underlying correlation search comes positive, it will generate a notable event.
You can see correlation search that triggered notable event.
Thanks Satish, I was not very clear on the Question. I can see the Notable details on the Incident Review screen, What I want is to get these details using a REST API or other calls.
Currently I am using a Scripted alert when a Notable is generated. This triggers a script and in the script I have the search ID and using the 8 Splunk provided ENV variables some more details on the events which caused the Notable event.
But so far I have not seen an easy way to retrieve the Notable event details (eventid, ruleid, hash, urgency, severity etc) along with the incidents to an external ticketing system. Ideal way would be I have the sid using the Alerts in the scripts. Using that I call an API to get details on Notable events and related events and pass that info to an external system.
and Is there a way to get the independent log line that triggered the Notable event (not the summary)
Today I use this to get details of the search using sid
So similar to this if I can call an API to get Notable event or Incident details along with related events using the sid ?