Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query which allows close all notables events considered as FP

d4wc3k
Path Finder
‎11-29-2019 04:59 AM

Hello alll

I have following question:
If it is possible to create query which will change owner,status and add note to notable events?
for example with using macro notable I have found all notable which need to be closed/resolved and I want to close them automatically, not by hand,

Thanks for answer

BR
Dawid

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

d4wc3k
Path Finder
‎12-02-2019 02:06 AM

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

d4wc3k
Path Finder
‎12-02-2019 02:06 AM

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

alonsocaio
Contributor
‎12-02-2019 03:46 AM

I use python requests, above is a simple function that can be used to close notables:

# STATUS
# 0 - Unassigned
# 1 - New
# 2 - In Progress
# 3 - Pending
# 4 - Resolved
# 5 - Closed

# URGENCY
# informational, low, medium, high, critical


status = 5
urgency = 'low'
comment = 'Closed by Python'
new_owner = 'admin'
rule_uids = EVENT_ID


def update_notable(status, urgency, comment, new_owner, rule_uids):
    status = status
    urgency = urgency
    comment = comment
    new_owner = new_owner
    rule_uids = rule_uids

    url = 'https://SPLUNK_SERVER:8089/services/notable_update'

    params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner}

    response = requests.request(method='POST', url=url, data=params, verify=False,
                                auth=HTTPBasicAuth('USER', 'PASSWORD'))
    return response.text

Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...

0 Karma
Reply
Solved! Jump to solution

alonsocaio
Contributor
‎11-29-2019 08:46 AM

I don't think you will be able to modify the notables from search, but one solution I have found was using the Splunk REST API. Maybe you could use your search query to trigger the REST API call to update the notable events. In my case I'm using a python script to update status, owner, urgency and notes of a notable event.

The following link brings more information about Notable Event API: https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

One other possible solution would be to suppress the notable events, but this would just take the events out from Incident Review.

0 Karma
Reply

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on

Get Updates on the Splunk Community!