×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jagan_jijo
Engager
Member since: ‎05-22-2025
‎05-23-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-22-2025
View All

Re: Help with Retrieving Bulk Incident Data via RE...

by in Splunk Enterprise Security
‎05-23-2025 01:31 AM
‎05-23-2025 01:31 AM
@livehybrid Thanks for the response! We're fairly new to Splunk and currently exploring Enterprise Security (ES) as our primary platform. what do you recommend as the industry standard? ES or ITSI? We’ve already reviewed the REST API documentation for retrieving fired alerts, search jobs, and events, and just wanted to double-check if that’s the recommended approach for pulling incident data during specific timeframes. Our main goal is to retrieve all incidents that occurred within a defined window and then collect the associated raw events for those incidents. We’re also exploring the use of HTTP notifications to reduce the number of API queries—ideally by triggering event collection based on incoming alerts. Regarding Better Webhooks, we’ve looked into it and it seems like a great solution. However, we’re hoping to build something similar natively within Splunk. Do you have any recommendations on how to approach building a custom webhook app or alert action? Also, is there a way to test such an app effectively within Splunk? ... View more

Help with Retrieving Bulk Incident Data via REST A...

by in Splunk Enterprise Security
‎05-22-2025 03:24 AM
‎05-22-2025 03:24 AM
Hi everyone, I'm working on improving our incident response and monitoring setup using Splunk, and I have a few questions I hope someone can help with: Bulk Incident Data Retrieval During Downtime: What’s the best way to retrieve a large volume of incident (via REST API) data from Splunk for a specific timeframe, especially during known downtime periods? Are there recommended search queries or techniques to ensure we capture everything that occurred during those windows? Querying Individual Event Data via Endpoints: How can we query Splunk endpoints (e.g., via REST API) to retrieve detailed data for individual events or incidents? Any examples or best practices would be greatly appreciated. Customizing Webhook Notifications: Is it possible to modify the structure or content of webhook notifications sent from Splunk without using third-party apps like Better Webhooks or Alert Managers? If so, how can this be done natively within Splunk?  Thanks in advance for any guidance or examples you can share!  Splunk Enterprise 6.2 Overview REST Endpoint Examples  ... View more
Splunk Enterprise 6.2 Overview
Thumbnail of Splunk Enterprise 6.2 Overview
Splunk Enterprise 6.2 Overview
Archived
Contact Me
Online Status
Offline
Date Last Visited
‎05-23-2025 01:27 AM
Karma given to
View All