Update notable event with splunklib (splunk-sdk fo...

breid1313 · ‎11-04-2020

Hi all,

I'm wondering if anyone has had success updating notable events using the Splunk SDK for Python (splunklib). I've seen a few examples of how to get it done with the splunk python package (for example https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...), but I'd prefer to leverage the Python SDK.

I've formatted the POST request every way I can think of, but I can't get a proper request to the server. I always get the error:

```

splunklib.binding.HTTPError: HTTP 400 Bad Request -- b'"ValueError: One of comment, newOwner, status, urgency is required."'

```

I am passing a `comment` argument, but it must be doing it incorrectly.

splunker_dave · ‎01-05-2022

A little late to the party here... I had the same issue when trying to post to Notables. I was able to solve it by structuring the calls this way:

data={

"ruleUIDs":"123456789" ,

"comment":"comment goes here",

}

Hope this helps.

kchamplin_splun · ‎11-13-2020

A curl based example is available here:

I'd reference that doc and leave comments on the doc page if you still run into issues.

Update notable event with splunklib (splunk-sdk for python)