"""This script shows how to get notable events from a Splunk instance running E

1. """
2. This script shows how to get notable events from a Splunk instance running Enterprise Security.
3.  
4. This script runs using the libraries built into Splunk. You can run it like this:
5.  
6. /opt/splunk/bin/splunk cmd python get_notables.py
7. """
8.  
9. import splunk.auth
10. import splunk.search
11. import time
12.  
13. def get_notables(session_key, earliest, latest, max_results=10000):
14. # Declare some static vars
15. search = '| search `notable` | head %i' % int(max_results)
16. latest_time = latest
17. earliest_time = earliest
18.  
19. # Kick off the search
20. search_job = splunk.search.dispatch(search, earliest_time=earliest_time, latest_time=latest_time, sessionKey=session_key)
21.  
22. # Wait for the search to complete
23. while search_job.isDone != True:
24. time.sleep(1)
25.  
26. # Try to process the results
27. searchID = search_job.sid
28.  
29. # This is mostly a copy from the notable event REST handler:
30. job = splunk.search.getJob(searchID, sessionKey=session_key)
31.  
32. # Get the results so that we can process them
33. dataset = getattr(job, 'events')
34.  
35. return dataset
36.  
37. # Authenticate
38. session_key = splunk.auth.getSessionKey(username='admin', password='changeme')
39.  
40. # Get the notables
41. notables = get_notables(session_key, '-24h', 'now', 10)
42.  
43. # Print the source of the given notable (just to show how to get the fields)
44. for notable in notables:
45. print notable['source']