https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183305#M36690 <P>Can they be applied to the _raw field as well?</P> Thu, 19 Dec 2013 08:29:15 GMT FRoth 2013-12-19T08:29:15Z https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183302#M36687 <P>What do you regards as the best practice to filter false positives from all views. <BR /><BR /> Currently I add all false positives to a search macro like this: <BR /><BR /> Macro: fps <BR /><BR /> Expression: ( "user1234" OR "admin123" ) <BR /><BR /> <BR /><BR /> Then I use the " NOT `fps`" string in the search to filter the false positives from the view. Would you regard this as a good idea. I find it quite handy to change the single statement that is included in all searches and panels. A problem I have is that the expression grew pretty big and some of the searches from dashboard panels fail because of an over long URL query. <BR /><BR /> Would you prefer using "tags" or something else?</P> Wed, 18 Dec 2013 14:44:48 GMT https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183302#M36687 FRoth 2013-12-18T14:44:48Z https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183303#M36688 <P>I consider this a problem to be tuned on a per search basis. Generally I try to avoid doing the <CODE>NOT this NOT that</CODE> approach, but we all have to do it at times. I find it generally better to tune each search because there might be a case where something is a false positive for one search but not another search. In addition, as you noted, there becomes a management overhead and possible performance issue with it growing too big.</P> <P>You could make a saved search of <CODE>fps</CODE> that included all the other eventtypes, tags, macros, or other saved searches you create to mark false positives, but having a single definition used in too many places might bite you in the future.</P> <P>So, specifically I try to change my searches to be more specific in ways that won't find false positives and don't require negating a bunch of stuff manually. This is easier done with more complex profiling rather than simpler pattern matching searches, of course.</P> Wed, 18 Dec 2013 15:09:52 GMT https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183303#M36688 jtrucks 2013-12-18T15:09:52Z https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183304#M36689 <P>I like to use tags for this use case. Tags can be applied to any field, or can be applied to an eventtype for a more complex exclusion.</P> Wed, 18 Dec 2013 15:17:47 GMT https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183304#M36689 dart 2013-12-18T15:17:47Z https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183305#M36690 <P>Can they be applied to the _raw field as well?</P> Thu, 19 Dec 2013 08:29:15 GMT https://community.splunk.com/t5/Getting-Data-In/Best-practice-on-false-positives/m-p/183305#M36690 FRoth 2013-12-19T08:29:15Z