Splunk Enterprise Security

Splunk Resilient - closing Splunk events

TetchyTech
New Member

We have our Splunk - Resilient integration mostly working and wanted to add a script in Resilient to update the status of Notables. It seems that not all of the notable events we are sending to Resilient contain a notable event_id.

We used the following search to send events (every 5 minutes):

`notable` | where isnull(notable_xref)

It looked like maybe we were picking up the Short Id being modified, so I did try this:

`notable`| where NOT like (notable_xref_name, "resilient%")

Still no joy, some events passed to Resilient do not contain the event_id, even though everything seems to work properly and I see the event_id in the notable events in Splunk - even though it didn't make it to Resilient.

Any tips on further troubleshooting?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...