Ok, I finally cracked it. Took entirely way too long but the below solution works: notable is added to investigation, and it is displayed properly in the investigation UI (Timeline, both Slide and List views). Splunk Enterprise 9.4.4, ES 7.3.4. The API call is still the same as in my initial post: curl -X POST -H "Authorization: Bearer YOUR_API_TOKEN" -k 'https://splunk_es:8089/services/storage/investigation/investigation_event?output_mode=json' --data '{"event_id":"your_notable_event_id","class_name":"notable_event","parent_class":"investigation","parent_id":"your_investigation_id","parent_version":1,"version":1,"title":"your_notable_title","start_time":1763586197,"end_time":0,"comments":[],"tags":[],"sourcetype":"stash","host":"your_splunk_es_host","raw": "json_encoded_raw_contents"}' The "start_time" is the time of creation for the notable event. To create the raw field containing the necessary fields, I used the below search.    `notable` | search event_id="your_notable_event_id" | eval raw = replace(_raw,"\"", "\\\"") | eval raw = "\"_raw\":[\"" . raw . "\"]" | eval bkt = "\"_bkt\":[\"" . _bkt . "\"]" | eval cd = "\"_cd\":[\"" . _cd . "\"]" | eval eventtype_color = "\"_eventtype_color\":[\"" . _eventtype_color . "\"]" | eval indextime = "\"_indextime\":[\"" . _indextime . "\"]" | eval serial = "\"_serial\":[\"" . _serial . "\"]" | eval sourcetype_internal = "\"_sourcetype\":[\"" . _sourcetype . "\"]" | eval eventtype = "\"eventtype\":[\"modnotable_results\",\"notable\"]" | foreach _time disposition disposition_default disposition_description disposition_label event_hash event_id host index indexer_guid notable_type owner owner_realname rule_description rule_id rule_name rule_title security_domain source sourcetype status status_default status_label urgency [eval <<FIELD>> = "\"<<FIELD>>\":[\"" . <<FIELD>> . "\"]"] | eval raw = "{" . bkt . "," . cd . "," . eventtype_color . "," . indextime . "," . raw . "," . serial . "," . sourcetype_internal . "," . _time . "," . disposition . "," . disposition_default . "," . disposition_description . "," . disposition_label . "," . event_hash . "," . event_id . "," . eventtype . "," . host . "," . index . "," . indexer_guid . "," . notable_type . "," . owner . "," . owner_realname . "," . rule_description . "," . rule_id . "," . rule_name . "," . rule_title . "," . security_domain . "," . source . "," . sourcetype . "," . status . "," . status_default . "," . status_label . "," . urgency . "}"   The "raw" field is what you'll want to encode so that you can then stick into the API call without getting parsing errors. In my case I put it through my SOAR tool before making the API call.  Note that I only include a subset of fields from my notables in "raw". I don't care about things like annotations and things like that going to the investigations at this time. I also include a bunch of fields that you may not care about, so feel free to trim down as necessary. For the notable to display correctly in the Timeline slide view (in Overview), you'll need at least these fields: urgency, status_label, owner_realname, rule_description, event_id, event_hash, eventtype.    Hope that helps! ... View more

After much tinkering I just figured it out. It's not pretty but it worked for me. This is my "v1" if you will, *just* got it to work. There may be better ways to do it. Ok, so here's the API call: curl -X POST -H "Authorization: Bearer YOUR_API_TOKEN" -k 'https://splunk_es:8089/services/storage/investigation/investigation_event?output_mode=json' --data '{"event_id":"your_notable_event_id","class_name":"notable_event","parent_class":"investigation","parent_id":"your_investigation_id","parent_version":1,"version":1,"title":"your_notable_title","start_time":1763586197,"end_time":0,"comments":[],"tags":[],"sourcetype":"stash","host":"your_splunk_es_host","raw": "json_encoded_raw_contents"}' The "start_time" is the time of creation for the notable event. To create the raw field containing all of the notable's fields, I used this Splunk search: `notable` | search event_id="your_notable_event_id" | fields - tag::eventtype | eval raw = "" | foreach * [eval temp_field = "\"<<FIELD>>\": " . <<FIELD>> | eval raw = mvappend(raw, temp_field) ] | eval raw = ltrim(mvjoin(raw, ","),",") Then in my SOAR tool I JSON-encoded the output, and used it in the API call. The main issue I've seen so far in my testing is that the notable doesn't display properly in the investigation's timeline. I'm guessing this may be because the "raw" field isn't being properly parsed. I'll continue tinkering on my end and see if I can make it work, but for now this does seem to add the notable to the investigation, and it is reflected in the Incident Review UI as well as the Investigation's "Summary" UI. And of course the investigation API calls. ... View more

Just wanted to post to say that I'm experiencing the exact same behavior. Set phoneHomeIntervalInSecs to 600, I get the "err=not_connected" message. If I change it back to 60, it'll work again with no issues. I also tried playing around with setting handshakeRetryIntervalInSecs to a low value (since the docs mention that it is set to "one fifth of phoneHomeIntervalInSecs") but no dice. ... View more