Hello alll
I have following question:
If it is possible to create query which will change owner,status and add note to notable events?
for example with using macro notable
I have found all notable which need to be closed/resolved and I want to close them automatically, not by hand,
Thanks for answer
BR
Dawid
@alonsocaio Thanks a lot for your answer.
On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference
We've got example how to use curl with rest to update notable:
curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"
My another question do you know simple code in python for use this rest call.
@alonsocaio Thanks a lot for your answer.
On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference
We've got example how to use curl with rest to update notable:
curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"
My another question do you know simple code in python for use this rest call.
I use python requests, above is a simple function that can be used to close notables:
# STATUS
# 0 - Unassigned
# 1 - New
# 2 - In Progress
# 3 - Pending
# 4 - Resolved
# 5 - Closed
# URGENCY
# informational, low, medium, high, critical
status = 5
urgency = 'low'
comment = 'Closed by Python'
new_owner = 'admin'
rule_uids = EVENT_ID
def update_notable(status, urgency, comment, new_owner, rule_uids):
status = status
urgency = urgency
comment = comment
new_owner = new_owner
rule_uids = rule_uids
url = 'https://SPLUNK_SERVER:8089/services/notable_update'
params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner}
response = requests.request(method='POST', url=url, data=params, verify=False,
auth=HTTPBasicAuth('USER', 'PASSWORD'))
return response.text
Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...
I don't think you will be able to modify the notables from search, but one solution I have found was using the Splunk REST API. Maybe you could use your search query to trigger the REST API call to update the notable events. In my case I'm using a python script to update status, owner, urgency and notes of a notable event.
The following link brings more information about Notable Event API: https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference
One other possible solution would be to suppress the notable events, but this would just take the events out from Incident Review.