Splunk Enterprise Security

automatically close all associated notables when an investigation is closed

trobes
Engager

Is there a way to automatically close all of the notables associated with an investigation when you close the investigation itself?  Currently Splunk just gives me a warning that "x number of notables are still open in this investigation."  The only way i have found to close notables is to go back to the "incident review" interface and manually filter and then change their state to closed.  This seems like an unnecessary step if I'm already closing the investigation.  Am i missing something? 

0 Karma
1 Solution

shivanshu1593
Builder

You'll have to create a Python/JavaScript script to interact with Splunk's API to programtically close the notable events. No direct way possible as far as I know for now. Here's a great article by @LukeMurphey which you can refer to build your custom script. It's a tad old, but still works like charm, if you're using Splunk version 7.X. For versions 8.x and above, you may have to edit the code to make it compatible with Python 3, or use JavaScript, the safe option:

How to programmatically edit notable events in Splunk

If this helps, please mark it as an accepted answer. This will help other Splunkers to implement the solution for their requirements.

Thanks,

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

0 Karma

shivanshu1593
Builder

You'll have to create a Python/JavaScript script to interact with Splunk's API to programtically close the notable events. No direct way possible as far as I know for now. Here's a great article by @LukeMurphey which you can refer to build your custom script. It's a tad old, but still works like charm, if you're using Splunk version 7.X. For versions 8.x and above, you may have to edit the code to make it compatible with Python 3, or use JavaScript, the safe option:

How to programmatically edit notable events in Splunk

If this helps, please mark it as an accepted answer. This will help other Splunkers to implement the solution for their requirements.

Thanks,

S

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...