Latest Version 0.1.1
March 30, 2021
Welcome to the new Splunkbase! To return to the old Splunkbase, click here.
This app is archived. Learn more
Update Notable Command for ES
Have you ever wanted to be able to change the status/urgency of a notable, assign it to someone or add a comment to it based upon the results of a search? This app provides the `updatenotable` search command that allows you to do just that. Simply pipe notable search results to the command with the event_id field and one or more of the following fields: owner, status, urgency, comment.
Built by
Compatibility
Not Available
Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3, 7.2
Rating
0
(0)
Log in to rate this app
Support
Not Supported
Have you ever wanted to be able to change the status/urgency of a notable, assign it to someone or add a comment to it based upon the results of a search? This app provides the `updatenotable` search command that allows you to do just that. Simply pipe notable search results to the command with the event_id field and one or more of the following fields: owner, status, urgency, comment.
This opens up a range of possibilities not previously available because you can now on a notable by notable basis use the analytics in Splunk to change notables. Here's a simple example of what this makes possible:
`notable` | where status==5 AND isnull(comment) AND risk_score>=80 | fields event_id risk_score | eval status=1, comment="Changing status of Closed notable to New because it has a high risk score (" . risk_score . ") but hasn't yet been commented on." | updatenotable
If this was to be made into a scheduled search (preferably without an owner), it could look every few minutes for notables with a risk score 80 or above that don't appear to have been triaged and change their status to 'New'.
Categories
Created By
Doug Brown
Type
addon
Downloads
866
Licensing
Splunk Answers
Resources
Log in to report this app listing