LukeMurphey · April 6, 2023 14:45
diff --git a/get_notables.py b/get_notables.py
 """
 This script shows how to get notable events from a Splunk instance running Enterprise Security.

 This script runs using the libraries built into Splunk. You can run it like this:

    /opt/splunk/bin/splunk cmd python get_notables.py
 """

 import splunk.auth
 import splunk.search
 import time

 def get_notables(session_key, earliest, latest, max_results=10000, event_id=None):
    # Declare some static vars
    if event_id is None:
        search = '| search `notable` | head %i' % int(max_results)
    else:
        search = '| search `notable` | search event_id="%s"' % event_id

    latest_time = latest
    earliest_time = earliest

    # Kick off the search
    search_job = splunk.search.dispatch(search, earliest_time=earliest_time, latest_time=latest_time, sessionKey=session_key)

    # Wait for the search to complete
    while search_job.isDone != True:
        time.sleep(1)

    # Try to process the results
    searchID = search_job.sid

    # This is mostly a copy from the notable event REST handler:
    job = splunk.search.getJob(searchID, sessionKey=session_key)

    # Get the results so that we can process them
    dataset = getattr(job, 'events')

    return dataset

 def get_notable(session_key, event_id=None):
    dataset = get_notables(session_key, '0', 'now', event_id=event_id)

    if dataset is not None:
        return dataset[0]
    else:
        return None

 # Authenticate
 session_key = splunk.auth.getSessionKey(username='admin', password='changeme')

 # Get the notables
 notables = get_notables(session_key, '-24h', 'now', 10)

 # Print the source of the given notable (just to show how to get the fields)
 for notable in notables:
    print notable['source']

 # Get a particular notable
 notable = get_notable(session_key, "B8B60455-7903-4D42-A92B-06BEE56FDC88@@notable@@003687a4169f3535ba0c2579283b013b")

 print notable
	"""
	This script shows how to get notable events from a Splunk instance running Enterprise Security.

	This script runs using the libraries built into Splunk. You can run it like this:

	/opt/splunk/bin/splunk cmd python get_notables.py
	"""

	import splunk.auth
	import splunk.search
	import time

	def get_notables(session_key, earliest, latest, max_results=10000, event_id=None):
	# Declare some static vars
	if event_id is None:
	search = '\| search `notable` \| head %i' % int(max_results)
	else:
	search = '\| search `notable` \| search event_id="%s"' % event_id

	latest_time = latest
	earliest_time = earliest

	# Kick off the search
	search_job = splunk.search.dispatch(search, earliest_time=earliest_time, latest_time=latest_time, sessionKey=session_key)

	# Wait for the search to complete
	while search_job.isDone != True:
	time.sleep(1)

	# Try to process the results
	searchID = search_job.sid

	# This is mostly a copy from the notable event REST handler:
	job = splunk.search.getJob(searchID, sessionKey=session_key)

	# Get the results so that we can process them
	dataset = getattr(job, 'events')

	return dataset

	def get_notable(session_key, event_id=None):
	dataset = get_notables(session_key, '0', 'now', event_id=event_id)

	if dataset is not None:
	return dataset[0]
	else:
	return None

	# Authenticate
	session_key = splunk.auth.getSessionKey(username='admin', password='changeme')

	# Get the notables
	notables = get_notables(session_key, '-24h', 'now', 10)

	# Print the source of the given notable (just to show how to get the fields)
	for notable in notables:
	print notable['source']

	# Get a particular notable
	notable = get_notable(session_key, "B8B60455-7903-4D42-A92B-06BEE56FDC88@@notable@@003687a4169f3535ba0c2579283b013b")

	print notable