Splunk® Enterprise Security

REST API Reference

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. Click here for the latest version.
Acrobat logo Download topic as PDF

Notable Event API reference

Access the Notable Event framework in Splunk Enterprise Security.

The Notable Event framework provides a way to identify noteworthy incidents from events and then manage the ownership, triage process, and state of those incidents. For more information about working with the framework, see Notable Event framework in Splunk ES on the Splunk developer portal.

There is no GET method for notable events in Splunk Enterprise Security. Instead, you can use Splunk search and macros to access the notables programmatically. See Using notable events in search on the Splunk developer portal.

Usage details

Authentication and Authorization

Username and password authentication is required for access to endpoints and REST operations. You must have the edit_notable_events capability to use the notable event endpoint.

Alternatively, you can use token authentication. See Set up authentication with tokens in the Splunk Enterprise Securing the Splunk Platform manual.

Username and password authentication is used in the examples that follow.

Splunk Cloud Platform URL for REST API access

Splunk Cloud Platform has a different host and management port syntax than Splunk Enterprise. Depending on your deployment type, use one of the following options to access REST API resources.

Splunk Cloud Platform deployments
Use the following URL for single-instance deployments.


Use the following URL for clustered deployments. If necessary, submit a support case to open port 8089 on your deployment.


To get the required credentials, submit a support case on the Support Portal. After installing the credentials, use the following URL.


See Using the REST API in Splunk Cloud Platform in the the Splunk REST API Tutorials for more information.


Edit all notable events that match one or more ruleUIDs, or edit all notable events that match a search.




Update the status, urgency, owner, or comment of one or more notable events.

Request parameters
An argument string must include at least one of the following arguments: comment, status, urgency, newOwner. It also must include either a searchID or one or more ruleUIDs.

Field Description
comment A description of the change or some information about the notable events.
status A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event.
urgency An urgency. Only required if you are changing the urgency of the event.
newOwner An owner. Only required if reassigning the event.
ruleUIDs A list of notable event IDs. Must be provided if a searchID is not provided. Include multiples of this attribute to edit multiple events. For example, ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&ruleUIDs
searchID An ID of a search. All of the events associated with this search will be modified unless a list of ruleUIDs are provided that limit the scope to a subset of the results.
disposition An ID for a disposition that matches a disposition in the reviewstatuses.conf configuration file. Required only if you are changing the disposition of the event.


A success or failure message.

Example request

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

Example response

{"message":"1 event updated successfully","failure_count":0,"success":true,"details":{},"success_count":1}

Last modified on 29 January, 2022
Threat Intelligence API reference
Analytic Story API reference

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters