Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import splunk
- import json
- def updateNotableEvents(sessionKey, comment, status=None, urgency=None, owner=None, eventIDs=None, searchID=None):
- """
- Update some notable events.
- Arguments:
- sessionKey -- The session key to use
- comment -- A description of the change or some information about the notable events
- status -- A status (only required if you are changing the status of the event)
- urgency -- An urgency (only required if you are changing the urgency of the event)
- owner -- A nowner (only required if reassigning the event)
- eventIDs -- A list of notable event IDs (must be provided if a search ID is not provided)
- searchID -- An ID of a search. All of the events associated with this search will be modified unless a list of eventIDs are provided that limit the scope to a sub-set of the results.
- """
- # Make sure that the session ID was provided
- if sessionKey is None:
- raise Exception("A session key was not provided")
- # Make sure that rule IDs and/or a search ID is provided
- if eventIDs is None and searchID is None:
- raise Exception("Either eventIDs of a searchID must be provided (or both)")
- return False
- # These the arguments to the REST handler
- args = {}
- args['comment'] = comment
- if status is not None:
- args['status'] = status
- if urgency is not None:
- args['urgency'] = urgency
- if owner is not None:
- args['newOwner'] = owner
- # Provide the list of event IDs that you want to change:
- if eventIDs is not None:
- args['ruleUIDs'] = eventIDs
- # If you want to manipulate the notable events returned by a search then include the search ID
- if searchID is not None:
- args['searchID'] = searchID
- # Perform the request
- serverResponse, serverContent = splunk.rest.simpleRequest('/services/notable_update', sessionKey=sessionKey, postargs=args)
- # Make sure the request was successful
- if serverResponse['status'] != '200':
- raise Exception("Server response indicates that the request failed")
- # Return the information about the request
- response_info = json.loads(serverContent)
- return response_info
- if __name__ == "__main__":
- #
- # Get a session ID and make a function for outputting the results for the examples below
- #
- import splunk.entity as entity
- from splunk import auth
- sessionKey = auth.getSessionKey(username='admin', password='changeme')
- def printResultMessage(response_info):
- if not response_info['success']:
- print "The operation was not successful"
- if 'failure_count' in response_info and response_info['failure_count'] > 0:
- print "Some failures were noted: " + str(response_info['failure_count'])
- print response_info['message']
- #
- # Example 1: using known eventIDs
- #
- # Update some events and reassigning them, changing the status and urgency
- print "Updating some notable events..."
- printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='This is a test of the REST endpoint', status=5, urgency='high', owner='admin', eventIDs=['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b', 'F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@846cb0c474332b07f2cf5a18bdd12009']))
- # Update some events by just adding a comment (leaves the assignee and urgency and status alone)
- print "Updating some notable events but this time just leaving some comments..."
- printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='Just adding a comment', eventIDs=['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b', 'F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@846cb0c474332b07f2cf5a18bdd12009']))
- #
- # Example 2: updating all notables that match a search
- #
- import splunk.search
- print "Updating some notable events by processing the results from a search..."
- # Kick off a search
- job = splunk.search.dispatch("search `notable` | head 2", sessionKey=sessionKey, earliest='-7d')
- # Wait until the search is done
- while True:
- if job.isDone and (job.resultCount > 0 or job.eventCount > 0):
- print "Search is done, result count is", job.resultCount
- break
- # Process the search results
- print "Updating the notable events in the completed search"
- printResultMessage( updateNotableEvents( sessionKey=sessionKey, comment='Just adding a comment via a search', searchID=job.sid))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement