Initial commit

README.md

@@ -0,0 +1,7 @@
+# TA-notableeditor
+This app provides a custom search command to mass edit notable events
+
+## Example
+```
+`notables` | head 10 | editnotables status="closed"
+```

bin/notableeditor.py

@@ -0,0 +1,75 @@
+from splunklib.searchcommands import dispatch, ReportingCommand, Configuration, Option
+import splunklib.client as client
+import sys
+import json
+
+STATUS_MAP = {
+    'new': 1,
+    'in progress': 2,
+    'pending': 3,
+    'resolved': 4,
+    'closed': 5
+}
+
+VALID_URGENCIES = [
+    'critical', 'high',
+    'medium', 'low',
+    'informational'
+]
+
+@Configuration(requires_preop=True)
+class EditNotablesCommand(ReportingCommand):
+    comment = Option(
+        doc='The comment to set',
+        require=False)
+
+    status = Option(
+        doc='The status to set',
+        require=False)
+
+    urgency = Option(
+        doc='The urgency to set',
+        require=False)
+
+    newOwner = Option(
+        doc='The new owner of the notables',
+        require=False)
+
+    @Configuration()
+    def map(self, records):
+        return records
+
+    def reduce(self, records):
+        args = {}
+        if self.comment:
+            args['comment'] = self.comment
+
+        if self.status and self.status.lower() in STATUS_MAP.keys():
+            args['status'] = STATUS_MAP[self.status.lower()]
+
+        if self.urgency:
+            args['urgency'] = self.urgency
+
+        if self.newOwner:
+            args['newOwner'] = self.newOwner
+
+        if not self.urgency.lower() in VALID_URGENCIES:
+            yield {'result': f"The urgency value provided is not valid. Valid ones are: {VALID_URGENCIES}" }
+
+        if not args:
+            yield {'result': 'Please provide at least one of the options comment, status, urgency, newOwner' }
+            return
+
+        event_ids = []
+        for record in records:
+            event_ids.append(record['event_id'])
+
+        args['ruleUIDs'] = event_ids
+        req = client.Endpoint(
+            client.connect(token=self._metadata.searchinfo.session_key),
+            '/services/notable_update'
+        ).post(body=args)
+
+        yield json.loads(req['body'].readall().decode())
+
+dispatch(EditNotablesCommand, sys.argv, sys.stdin, sys.stdout, __name__)

bin/splunklib/__init__.py

@@ -0,0 +1,20 @@
+# Copyright 2011-2015 Splunk, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"): you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+"""Python library for Splunk."""
+
+from __future__ import absolute_import
+from splunklib.six.moves import map
+__version_info__ = (1, 6, 16)
+__version__ = ".".join(map(str, __version_info__))