Hello,

Looking for some real guidance here. We just implemented Splunk with an Implementation team. We are pulling out Notables to send to our case management product and then closing the notable ( this way we are only searching for open notables to send and if for some reason it doesnt send it doesnt close so it can attempt again) .  

We are having to add a |head 1 to this search in order for the update Notable command knows which notable to update and set to close ( Not having the Head command caused issues updating the notable to closed.....seeing say 5 notables and then trying to update became to confusing for splunk) . This has caused us to make this search real-time search ( we get 10 Notables at the same time we dont want to wait 10 minuets for that event to get over to us) . I am going to provide some of the SPL and see if anyone knows a better way....we have been waiting for 4 months from Splunk on this.

 `notable`
| where (status==1 AND notable_xref_id!="")
Some eval commands and table
| head 1
| sendalert XXXX param.X_instance_id=X param.alert_mode="X" param.unique_id_field=""
param.case_template="X" param.type="alert" param.source="splunk" param.timestamp_field=""
param.title=X param.description=X param.tags="X" param.scope=0
param.severity=X param.tlp=X param.pap=X
| table status event_id | eval status=5|updatenotable

Has anyone attempted to search in the notable index and pull multiple events and tried to update the notable in that search and had successful results for multiple entries?