import splunkimport json def updateNotableEvents(sessionKey, comment, status=

1. import splunk
2. import json
3.  
4. def updateNotableEvents(sessionKey, comment, status=None, urgency=None, owner=None, eventIDs=None, searchID=None):
5. """
6. Update some notable events.
7.  
8. Arguments:
9. sessionKey -- The session key to use
10. comment -- A description of the change or some information about the notable events
11. status -- A status (only required if you are changing the status of the event)
12. urgency -- An urgency (only required if you are changing the urgency of the event)
13. owner -- A nowner (only required if reassigning the event)
14. eventIDs -- A list of notable event IDs (must be provided if a search ID is not provided)
15. searchID -- An ID of a search. All of the events associated with this search will be modified unless a list of eventIDs are provided that limit the scope to a sub-set of the results.
16. """
17.  
18. # Make sure that the session ID was provided
19. if sessionKey is None:
20. raise Exception("A session key was not provided")
21.  
22. # Make sure that rule IDs and/or a search ID is provided
23. if eventIDs is None and searchID is None:
24. raise Exception("Either eventIDs of a searchID must be provided (or both)")
25. return False
26.  
27. # These the arguments to the REST handler
28. args = {}
29. args['comment'] = comment
30.  
31. if status is not None:
32. args['status'] = status
33.  
34. if urgency is not None:
35. args['urgency'] = urgency
36.  
37. if owner is not None:
38. args['newOwner'] = owner
39.  
40. # Provide the list of event IDs that you want to change:
41. if eventIDs is not None:
42. args['ruleUIDs'] = eventIDs
43.  
44. # If you want to manipulate the notable events returned by a search then include the search ID
45. if searchID is not None:
46. args['searchID'] = searchID
47.  
48. # Perform the request
49. serverResponse, serverContent = splunk.rest.simpleRequest('/services/notable_update', sessionKey=sessionKey, postargs=args)
50.  
51. # Make sure the request was successful
52. if serverResponse['status'] != '200':
53. raise Exception("Server response indicates that the request failed")
54.  
55. # Return the information about the request
56. response_info = json.loads(serverContent)
57. return response_info
58.  
59.  
60. if __name__ == "__main__":
61.  
62. #
63. # Get a session ID and make a function for outputting the results for the examples below
64. #
65. import splunk.entity as entity
66. from splunk import auth
67.  
68. sessionKey = auth.getSessionKey(username='admin', password='changeme')
69.  
70. def printResultMessage(response_info):
71.  
72. if not response_info['success']:
73. print "The operation was not successful"
74.  
75. if 'failure_count' in response_info and response_info['failure_count'] > 0:
76. print "Some failures were noted: " + str(response_info['failure_count'])
77.  
78. print response_info['message']
79.  
80. #
81. # Example 1: using known eventIDs
82. #
83.  
84. # Update some events and reassigning them, changing the status and urgency
85. print "Updating some notable events..."
86. printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='This is a test of the REST endpoint', status=5, urgency='high', owner='admin', eventIDs=['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b', 'F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@846cb0c474332b07f2cf5a18bdd12009']))
87.  
88. # Update some events by just adding a comment (leaves the assignee and urgency and status alone)
89. print "Updating some notable events but this time just leaving some comments..."
90. printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='Just adding a comment', eventIDs=['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b', 'F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@846cb0c474332b07f2cf5a18bdd12009']))
91.  
92.  
93. #
94. # Example 2: updating all notables that match a search
95. #
96.  
97. import splunk.search
98.  
99. print "Updating some notable events by processing the results from a search..."
100.  
101. # Kick off a search
102. job = splunk.search.dispatch("search `notable` | head 2", sessionKey=sessionKey, earliest='-7d')
103.  
104. # Wait until the search is done
105. while True:
106. if job.isDone and (job.resultCount > 0 or job.eventCount > 0):
107. print "Search is done, result count is", job.resultCount
108. break
109.  
110. # Process the search results
111. print "Updating the notable events in the completed search"
112. printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='Just adding a comment via a search', searchID=job.sid))