Managing Splunk ES Notable Events in Swimlane


I was recently asked by a client if Swimlane could manage “Notable Events” in Splunk’s Enterprise Security App, and if Swimlane could update the incident after being enriched, triaged, and analyzed (to include Case Management [Owner | Status | Urgency] and the Analyst’s comments). Below is a quick summary of the steps required


  1. On your Splunk/ES instance, download and install the Swimlane App for Splunk

  2. Configure the TA-Swimlane App:

  3. Modify your Splunk Alert Action to create a “Notable Event” or create a new “Correlation Search” in ES (Configure->Content Management). If you want every new 'Notable Event" to be submitted to the Swimlane API, simply add notable in the search pattern.

  4. For Adaptive Response Action, select Swimlane, and add the Swimlane Application ID that you want the record to be created in:

  5. If you’re using Splunk’s Common Information Model (CIM), and your fields are already created in the Swimlane App, select “Auto Map”

  6. If you use customized field names in your Swimlane App; select “Custom Map”: {“splunk_src_ip_field”: “Swimlane Field 1”, “splunk_dst_ip_field”: “Swimlane Field 2”} etc.

  7. If a new Notable Event comes in, it will automatically create a new record in Swimlane.

  8. In order to update the Splunk Incident from within Swimlane, create a new Swimlane [Python Integration] with below example code to match your environment, and select your pre-defined destination fields for the record:

     import requests
     url = 'https://splunk.server:8089/services/notable_update' 
     event_id = sw_context.inputs['splunk_es_event_id']
     urgency = sw_context.inputs['case_severity']
     status_label = sw_context.inputs['case_status']
     owner = sw_context.inputs['case_owner']
     comment = sw_context.inputs['splunk_es_comment']
     if status_label == 'NEW':
         status = '1'
     if status_label == 'IN PROGRESS':
         status = '2'
     if status_label == 'PENDING':
         status = '3'
     if status_label == 'RESOLVED':
         status = '4'
     if status_label == 'CLOSED':
         status = '5'
     data ={
         'ruleUIDs': [event_id],
         'urgency': [urgency.lower()],
         'status': [status],
         'newOwner': [owner],
         'comment': [comment]
     splunk_es =, data=data, verify=False, auth=('api_user_name', 'api_user_password'))
     response = json.loads(splunk_es.text)
     sw_outputs = [response]
  9. As you execute the “Update Splunk Notable Event” [Python Integration] in Swimlane (either through manual trigger or automatically using the workflow), the case status/owner/urgency and comments can be vieweved in Splunk ES - Incident Review: