Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

unable to update "action.notable" via API

cha_18
Engager
2 weeks ago

I am trying to update a detections config in ES via API with a bash script.

All of the below is working and updating the parameters other than updating action.notable and action.email which i cant seem to be able to , i have tried all the values i can think of in there eg 1, true, "1" but none are working, is this something that anyone has seen before?



curl -k -u "$USERNAME:$PASSWORD" \
"https://essplunk.company.org:8029/servicesNS/nobody/<APP>/saved/searches/Threat%20-%20DetectionName%20-%20Rule" \
  -X POST \
  -d disabled=true \
  -d search=index="search" \
  -d description="Updated search for bad events" \
  -d action.email=0 \
  -d action.notable=0 \
  -d action.email.subject="hello" \
  -d action.email.message.alert="hello"\
  -d action.email.to=email@company.com \
  -d action.email.useNSSubject=1\
  -d action.email._command_backup="whatever" \
  -d action.email.use_ssl=true \
  -d action.nbtstat.param.verbose="1"

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cha_18
Engager
2 weeks ago

Worked it out, so posting here in case anyone else needs it...

rather than 

-d action.notable=true

you would need to set the parameters like the below:

-d actions=notable

 

if you want multiple you would need a comma separated list eg below

-d actions=email,notable

 

if you did it like the below then you would only get one of the ARs applied 

 

-d actions=notable 
-d actions=email

 


View solution in original post

Reply
Solved! Jump to solution
Solution

cha_18
Engager
2 weeks ago

Worked it out, so posting here in case anyone else needs it...

rather than 

-d action.notable=true

you would need to set the parameters like the below:

-d actions=notable

 

if you want multiple you would need a comma separated list eg below

-d actions=email,notable

 

if you did it like the below then you would only get one of the ARs applied 

 

-d actions=notable 
-d actions=email

 


Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...