Required only if you are changing the disposition of the event. All of the events associated with this search will be modified unless a list of ruleUIDs are provided that limit the scope to a subset of the results.Īn ID for a disposition that matches a disposition in the nf configuration file. Include multiples of this attribute to edit multiple events. ![]() Must be provided if a searchID is not provided. Only required if reassigning the event.Ī list of notable event IDs. Only required if you are changing the urgency of the event.Īn owner. There are some REST API access and usage differences between Splunk Cloud Platform and Splunk Enterprise. See the REST API User Manual to learn about the Splunk REST API basic concepts. Only required if you are changing the status of the event.Īn urgency. Use the REST API Reference to learn about available endpoints and operations for accessing, creating, updating, or deleting resources. It also must include either a searchID or one or more ruleUIDs.Ī description of the change or some information about the notable events.Ī status ID matching a status in nf. See Using the REST API in Splunk Cloud Platform in the the Splunk REST API Tutorials for more information.Įdit all notable events that match one or more ruleUIDs, or edit all notable events that match a search.Īn argument string must include at least one of the following arguments: comment, status, urgency, newOwner. After installing the credentials, use the following URL. To get the required credentials, submit a support case on the Support Portal. If necessary, submit a support case to open port 8089 on your deployment. Use the following URL for clustered deployments. Use the following URL for single-instance deployments. Depending on your deployment type, use one of the following options to access REST API resources. Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Splunk Cloud Platform URL for REST API access Username and password authentication is used in the examples that follow. See Set up authentication with tokens in the Splunk Enterprise Securing the Splunk Platform manual. For more information on configuring user roles and capabilities for Splunk Enterprise Security, see Configure users and roles.Īlternatively, you can use token authentication. ![]() You must have the edit_notable_events capability along with the ess_analyst role to use the notable event endpoint. Username and password authentication is required for access to endpoints and REST operations. Usage details Authentication and Authorization See Using notable events in search on the Splunk developer portal. Instead, you can use Splunk search and macros to access the notables programmatically. ![]() There is no GET method for notable events in Splunk Enterprise Security. For more information about working with the framework, see Notable Event framework in Splunk ES on the Splunk developer portal. The Notable Event framework provides a way to identify noteworthy incidents from events and then manage the ownership, triage process, and state of those incidents. Access the Notable Event framework in Splunk Enterprise Security. For example, lets say I want to search my localhost for a saved search called mysavedsearch.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |