Hello, Looking for some real guidance here. We just implemented Splunk with an Implementation team. We are pulling out Notables to send to our case management product and then closing the notable ( this way we are only searching for open notables to send and if for some reason it doesnt send it doesnt close so it can attempt again) .   We are having to add a |head 1 to this search in order for the update Notable command knows which notable to update and set to close ( Not having the Head command caused issues updating the notable to closed.....seeing say 5 notables and then trying to update became to confusing for splunk) . This has caused us to make this search real-time search ( we get 10 Notables at the same time we dont want to wait 10 minuets for that event to get over to us) . I am going to provide some of the SPL and see if anyone knows a better way....we have been waiting for 4 months from Splunk on this. `notable` | where (status==1 AND notable_xref_id!="") Some eval commands and table | head 1 | sendalert XXXX param.X_instance_id=X param.alert_mode="X" param.unique_id_field="" param.case_template="X" param.type="alert" param.source="splunk" param.timestamp_field="" param.title=X param.description=X param.tags="X" param.scope=0 param.severity=X param.tlp=X param.pap=X | table status event_id | eval status=5|updatenotable Has anyone attempted to search in the notable index and pull multiple events and tried to update the notable in that search and had successful results for multiple entries?  ... View more

Can anyone provide a link to Splunk Mission Control API documentation?   Thank you  ... View more

Hello all,  We are wanting to enrich events as they become notables in ES before they are sent onto Mission control. Thoughts being, enrich the event via some sort of search ( all the data will be in splunk already) to add , DNS, DHCP, Threat intel and some endpoint data.     Is it possible to have a search run for the notable index to gather information from other indexes and add them to the notable event?  If so I would love to discuss.     ... View more

Hello all,  Starting end of next week my team will be doing a POV of Splunk ES as a possible replacement of our current SIEM.  We are looking at the cloud with workload pricing model.   I am wondering if anyone can provide any tips or tricks related to doing a POV  of ES.  The sort of things you feel can be difficult or take time to complete, Monthly care and feeding of the Product that you and your team do.  How the Workload pricing actually computes in your environment ( example's say you have 100 SVG's and you send in 5 TB a day and do 1,000 searches...) . I appreciate any insight anyone can provide.   Thank you    ... View more