LukeMurphey/notable_edit_example_native.py

## notable_edit_example_native.py
import requests

# Ignore warnings about self-signed certificates if using them
import warnings
warnings.filterwarnings('ignore', '', requests.packages.urllib3.exceptions.InsecureRequestWarning, '', 0)

# Here is a helper function for editing notable events
def updateNotableEvents(sessionKey, baseurl, comment, status=None, urgency=None, owner=None, eventIDs=None, searchID=None):
    """
    Update some notable events.

    Arguments:
    sessionKey -- The session key to use
    baseurl -- The URL of splunkd (e.g. "https://localhost:8089/")
    comment -- A description of the change or some information about the notable events
    status -- A status (only required if you are changing the status of the event)
    urgency -- An urgency (only required if you are changing the urgency of the event)
    owner -- A nowner (only required if reassigning the event)
    eventIDs -- A list of notable event IDs (must be provided if a search ID is not provided)
    searchID -- An ID of a search. All of the events associated with this search will be modified unless a list of eventIDs are provided that limit the scope to a sub-set of the results.
    """

    # Make sure that the session ID was provided
    if sessionKey is None:
        raise Exception("A session key was not provided")

    # Make sure that rule IDs and/or a search ID is provided
    if eventIDs is None and searchID is None:
        raise Exception("Either eventIDs of a searchID must be provided (or both)")
        return False

    # These the arguments to the REST handler
    args = {}
    args['comment'] = comment

    if status is not None:
        args['status'] = status

    if urgency is not None:
        args['urgency'] = urgency

    if owner is not None:
        args['newOwner'] = owner

    # Provide the list of event IDs that you want to change:
    if eventIDs is not None:
        args['ruleUIDs'] = eventIDs

    # If you want to manipulate the notable events returned by a search then include the search ID
    if searchID is not None:
        args['searchID'] = searchID


    auth_header = {'Authorization': 'Splunk %s' % sessionKey}

    args['output_mode'] = 'json'
    mod_notables = requests.post(baseurl + 'services/notable_update', data=args, headers=auth_header, verify=False)

    return mod_notables.json()


if __name__ == "__main__":

    # Change these to reflect your the settings for your host
    username = 'admin'
    password = 'changeme'
    baseurl = 'https://localhost:8089/'

    #
    # Get a session ID and make a function for outputting the results for the example below
    #
    auth_req = requests.post(baseurl + 'services/auth/login', data={'username': 'admin', 'password': 'changeme', 'output_mode': 'json'}, verify=False)
    sessionKey = auth_req.json()['sessionKey']

    def printResultMessage(response_info):

        if not response_info['success']:
            print "The operation was not successful"

        if 'failure_count' in response_info and response_info['failure_count'] > 0:
            print "Some failures were noted: " + str(response_info['failure_count'])

        print response_info['message']

    # Update some events and reassigning them, changing the status and urgency
    print "Updating some notable events..."
    printResultMessage( updateNotableEvents( sessionKey=sessionKey, baseurl=baseurl, comment='This is a test of the REST endpoint', status=5, urgency='high', owner='admin', eventIDs=['80C1DA7F-5DD1-43AF-B2CA-3ADA13CF178A@@notable@@47a1f0cccea068201729736acdb67602']))
	import requests

	# Ignore warnings about self-signed certificates if using them
	import warnings
	warnings.filterwarnings('ignore', '', requests.packages.urllib3.exceptions.InsecureRequestWarning, '', 0)

	# Here is a helper function for editing notable events
	def updateNotableEvents(sessionKey, baseurl, comment, status=None, urgency=None, owner=None, eventIDs=None, searchID=None):
	"""
	Update some notable events.

	Arguments:
	sessionKey -- The session key to use
	baseurl -- The URL of splunkd (e.g. "https://localhost:8089/")
	comment -- A description of the change or some information about the notable events
	status -- A status (only required if you are changing the status of the event)
	urgency -- An urgency (only required if you are changing the urgency of the event)
	owner -- A nowner (only required if reassigning the event)
	eventIDs -- A list of notable event IDs (must be provided if a search ID is not provided)
	searchID -- An ID of a search. All of the events associated with this search will be modified unless a list of eventIDs are provided that limit the scope to a sub-set of the results.
	"""

	# Make sure that the session ID was provided
	if sessionKey is None:
	raise Exception("A session key was not provided")

	# Make sure that rule IDs and/or a search ID is provided
	if eventIDs is None and searchID is None:
	raise Exception("Either eventIDs of a searchID must be provided (or both)")
	return False

	# These the arguments to the REST handler
	args = {}
	args['comment'] = comment

	if status is not None:
	args['status'] = status

	if urgency is not None:
	args['urgency'] = urgency

	if owner is not None:
	args['newOwner'] = owner

	# Provide the list of event IDs that you want to change:
	if eventIDs is not None:
	args['ruleUIDs'] = eventIDs

	# If you want to manipulate the notable events returned by a search then include the search ID
	if searchID is not None:
	args['searchID'] = searchID


	auth_header = {'Authorization': 'Splunk %s' % sessionKey}

	args['output_mode'] = 'json'
	mod_notables = requests.post(baseurl + 'services/notable_update', data=args, headers=auth_header, verify=False)

	return mod_notables.json()


	if __name__ == "__main__":

	# Change these to reflect your the settings for your host
	username = 'admin'
	password = 'changeme'
	baseurl = 'https://localhost:8089/'

	#
	# Get a session ID and make a function for outputting the results for the example below
	#
	auth_req = requests.post(baseurl + 'services/auth/login', data={'username': 'admin', 'password': 'changeme', 'output_mode': 'json'}, verify=False)
	sessionKey = auth_req.json()['sessionKey']

	def printResultMessage(response_info):

	if not response_info['success']:
	print "The operation was not successful"

	if 'failure_count' in response_info and response_info['failure_count'] > 0:
	print "Some failures were noted: " + str(response_info['failure_count'])

	print response_info['message']

	# Update some events and reassigning them, changing the status and urgency
	print "Updating some notable events..."
	printResultMessage( updateNotableEvents( sessionKey=sessionKey, baseurl=baseurl, comment='This is a test of the REST endpoint', status=5, urgency='high', owner='admin', eventIDs=['80C1DA7F-5DD1-43AF-B2CA-3ADA13CF178A@@notable@@47a1f0cccea068201729736acdb67602']))