Notable Events
Fetches notable events from Splunk Enterprise Security for threat detection and incident tracking.
Sync Type: Incremental Synchronisation
Requirements
Before configuring this input, you need to:
-
Have Splunk Enterprise Security (ES) installed — The
notableindex is created by Splunk Enterprise Security. If you do not have ES installed, this input will not be able to retrieve events.- Verify ES is installed by checking if the
notableindex exists in your Splunk instance
- Verify ES is installed by checking if the
-
Create a Bearer Token — Splunk Bearer Token docs.
- Log in to Splunk Web
- Navigate to Settings → Tokens
- Click New Token (or Create new token)
- Provide a name and optional description
- Click Create and copy the generated token
- Securely store the token
-
Ensure REST API port is reachable — The default REST API port is 8089. Verify that this port (or your configured port) is reachable from your Monad collector.
- If using a custom port, note it for configuration
Details
Monad retrieves new notable events from Splunk Enterprise using incremental synchronisation. The input tracks the latest event timestamp (_time) from each sync run and on the next run, retrieves only events with newer timestamps.
Data Retrieval Flow
- Creates a Splunk search job via
POST /services/search/jobswith the Splunk Processing Language (SPL) querysearch index=notable | sort 0 _time- On subsequent runs, the query becomes
search index=notable _time>{epoch} | sort 0 _timeto retrieve only newer events
- On subsequent runs, the query becomes
- Stores the search job SID in state immediately after creation to enable resumption if interrupted
- Polls
GET /services/search/jobs/{sid}every 10 seconds until the search completes (timeout: 5 minutes) - Retrieves paginated results via
GET /services/search/jobs/{sid}/resultswith 1000 records per page - After each page, checkpoints the latest
_timeepoch value so the next run only fetches newer events - Deletes the search job via
DELETE /services/search/jobs/{sid}after all results are streamed - On restart: If a SID is stored in state, resumes polling and streaming that job instead of creating a new one
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Host | string | Yes | Splunk hostname or IP address without scheme (e.g., splunk.example.com or localhost). Do not include http:// or https://. |
| Port | integer | No | Splunk REST API port. Defaults to 8089 if not specified. |
| Cron | string | Yes | Schedule for running the input as a standard cron expression (e.g., 0 */6 * * * for every 6 hours). |
| Use Synthetic Data | boolean | No | Generate synthetic demo data instead of connecting to the real data source. Defaults to false. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Token | string | Yes | Splunk Bearer token used for authenticating REST API requests. Sent as the Authorization: Bearer <token> header. |
Rate Limits
| Scope | Limit | Window | Notes |
|---|---|---|---|
| API Requests | 10 | Per second | Conservative limit; Splunk Enterprise does not publicly document exact REST API rate limits |
Source: Internal rate limit configuration for reliability
Limitations
- Requires Splunk Enterprise Security (ES) to be installed
- Search job polling timeout is 5 minutes; very large result sets may require longer windows
Related Articles
- Splunk Enterprise Create Search API
- Splunk Enterprise Fetch Results API
- Splunk Enterprise Security Documentation