Hi, I am wondering if it is possible to have my adaptive response actions append fields to the notable which triggered them. I am in a situation where my adaptive response action returns a link, and I would like for that link to be displayed alongside all other interesting fields in the notable. I followed http://blogs.splunk.com/2015/04/13/how-to-edit-notable-events-in-es-programatically/ and tried to provide the REST API an argument like args['my_link'] and received the following error : {"message":"ValueError: One of comment, owner, status, urgency is required.","success":false} Is there anyway to update the notable and append new fields to it based on the results of adaptive response actions? ... View more

Hi, Is it possible to prepopulate an adaptive response action's form from the notable event? Let's say my notable event has fields: fielda = 1234 fieldb = 5436 fieldc = 8512 And my alert_props.conf has param.field1 = $result.fielda$ param.field2 = $result.fieldb$ param.field3 = $result.fieldc$ When someone (via Splunk Enterprise Security) does Actions->Run Adaptive Response Actions, I would expect Splunk to prepopulate the form with the values from the notable event it was selected through. Is this possible? ... View more