Last active
August 26, 2016 16:56
-
-
Save LukeMurphey/b45a5425572deffd2e955e460f261dbf to your computer and use it in GitHub Desktop.
An example of how to edit notable events using the REST API in the Enterprise Security app for Splunk. #splunk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
# Ignore warnings about self-signed certificates if using them | |
import warnings | |
warnings.filterwarnings('ignore', '', requests.packages.urllib3.exceptions.InsecureRequestWarning, '', 0) | |
# Here is a helper function for editing notable events | |
def updateNotableEvents(sessionKey, baseurl, comment, status=None, urgency=None, owner=None, eventIDs=None, searchID=None): | |
""" | |
Update some notable events. | |
Arguments: | |
sessionKey -- The session key to use | |
baseurl -- The URL of splunkd (e.g. "https://localhost:8089/") | |
comment -- A description of the change or some information about the notable events | |
status -- A status (only required if you are changing the status of the event) | |
urgency -- An urgency (only required if you are changing the urgency of the event) | |
owner -- A nowner (only required if reassigning the event) | |
eventIDs -- A list of notable event IDs (must be provided if a search ID is not provided) | |
searchID -- An ID of a search. All of the events associated with this search will be modified unless a list of eventIDs are provided that limit the scope to a sub-set of the results. | |
""" | |
# Make sure that the session ID was provided | |
if sessionKey is None: | |
raise Exception("A session key was not provided") | |
# Make sure that rule IDs and/or a search ID is provided | |
if eventIDs is None and searchID is None: | |
raise Exception("Either eventIDs of a searchID must be provided (or both)") | |
return False | |
# These the arguments to the REST handler | |
args = {} | |
args['comment'] = comment | |
if status is not None: | |
args['status'] = status | |
if urgency is not None: | |
args['urgency'] = urgency | |
if owner is not None: | |
args['newOwner'] = owner | |
# Provide the list of event IDs that you want to change: | |
if eventIDs is not None: | |
args['ruleUIDs'] = eventIDs | |
# If you want to manipulate the notable events returned by a search then include the search ID | |
if searchID is not None: | |
args['searchID'] = searchID | |
auth_header = {'Authorization': 'Splunk %s' % sessionKey} | |
args['output_mode'] = 'json' | |
mod_notables = requests.post(baseurl + 'services/notable_update', data=args, headers=auth_header, verify=False) | |
return mod_notables.json() | |
if __name__ == "__main__": | |
# Change these to reflect your the settings for your host | |
username = 'admin' | |
password = 'changeme' | |
baseurl = 'https://localhost:8089/' | |
# | |
# Get a session ID and make a function for outputting the results for the example below | |
# | |
auth_req = requests.post(baseurl + 'services/auth/login', data={'username': 'admin', 'password': 'changeme', 'output_mode': 'json'}, verify=False) | |
sessionKey = auth_req.json()['sessionKey'] | |
def printResultMessage(response_info): | |
if not response_info['success']: | |
print "The operation was not successful" | |
if 'failure_count' in response_info and response_info['failure_count'] > 0: | |
print "Some failures were noted: " + str(response_info['failure_count']) | |
print response_info['message'] | |
# Update some events and reassigning them, changing the status and urgency | |
print "Updating some notable events..." | |
printResultMessage( updateNotableEvents( sessionKey=sessionKey, baseurl=baseurl, comment='This is a test of the REST endpoint', status=5, urgency='high', owner='admin', eventIDs=['80C1DA7F-5DD1-43AF-B2CA-3ADA13CF178A@@notable@@47a1f0cccea068201729736acdb67602'])) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment