Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Query which allows close all notables events consi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello alll
I have following question:
If it is possible to create query which will change owner,status and add note to notable events?
for example with using macro notable I have found all notable which need to be closed/resolved and I want to close them automatically, not by hand,
Thanks for answer
BR
Dawid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alonsocaio Thanks a lot for your answer.
On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference
We've got example how to use curl with rest to update notable:
curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"
My another question do you know simple code in python for use this rest call.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alonsocaio Thanks a lot for your answer.
On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference
We've got example how to use curl with rest to update notable:
curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"
My another question do you know simple code in python for use this rest call.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use python requests, above is a simple function that can be used to close notables:
# STATUS
# 0 - Unassigned
# 1 - New
# 2 - In Progress
# 3 - Pending
# 4 - Resolved
# 5 - Closed
# URGENCY
# informational, low, medium, high, critical
status = 5
urgency = 'low'
comment = 'Closed by Python'
new_owner = 'admin'
rule_uids = EVENT_ID
def update_notable(status, urgency, comment, new_owner, rule_uids):
status = status
urgency = urgency
comment = comment
new_owner = new_owner
rule_uids = rule_uids
url = 'https://SPLUNK_SERVER:8089/services/notable_update'
params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner}
response = requests.request(method='POST', url=url, data=params, verify=False,
auth=HTTPBasicAuth('USER', 'PASSWORD'))
return response.text
Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you will be able to modify the notables from search, but one solution I have found was using the Splunk REST API. Maybe you could use your search query to trigger the REST API call to update the notable events. In my case I'm using a python script to update status, owner, urgency and notes of a notable event.
The following link brings more information about Notable Event API: https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference
One other possible solution would be to suppress the notable events, but this would just take the events out from Incident Review.
Data Management Digest – November 2025
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
