https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/598551#M10806 <P>Why was this answer accepted?&nbsp; It does not answer the question AT ALL!&nbsp; See my answer which does.</P> Thu, 19 May 2022 18:43:52 GMT woodcock 2022-05-19T18:43:52Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50023#M128 <P>In Enterprise Security, you can configure Notable Event Suppressions. When adding/editing a suppression, which file exactly is getting updated within Splunk? I've been looking in /etc/apps/SplunkEnterpriseSecuritySuite but I haven't found the file there (yet).</P> <P>The reason I ask is because I edited a suppression and now the 'notable event suppression' GUI doesn't work and I need to manually fix the suppression by modifying it in the file system.</P> <P>Thanks</P> Wed, 28 Aug 2013 17:51:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50023#M128 echojacques 2013-08-28T17:51:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50024#M129 <P>Hi. Do you mean the GUI doesn't display at all? This section in the ES docs describes how to create a new suppression: <A href="http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_events_from_new_correlation_searches">http://docs.splunk.com/Documentation/ES/latest/Install/NotableEventSuppression#Suppress_notable_events_from_new_correlation_searches</A> with the names of the files you would need to edit. You might check there first. </P> Wed, 28 Aug 2013 19:41:23 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50024#M129 jmckean_splunk 2013-08-28T19:41:23Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50025#M130 <P>Hi, I broke the GUI/webpage by blanking out the description and search fields in a suppression. If you do this, then you will get a webpage rendering error when trying to view the Notable Event Suppressions from within the GUI, I guess it doesn't know how to display a blank suppression.</P> <P>I was able to find the .conf file and edit the file manually which fixed the GUI problem. This is the file that I was looking for (it's also referenced in the document you mentioned) that stores all of the event suppressions (that the GUI reads from):</P> <PRE><CODE>etc/apps/SA-ThreatIntelligence/local/eventtypes.conf </CODE></PRE> Wed, 28 Aug 2013 19:55:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50025#M130 echojacques 2013-08-28T19:55:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50026#M131 <P>Feels like this question remains unanswered. </P> Wed, 25 Sep 2019 22:47:18 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/50026#M131 morethanyell 2019-09-25T22:47:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/598551#M10806 <P>Why was this answer accepted?&nbsp; It does not answer the question AT ALL!&nbsp; See my answer which does.</P> Thu, 19 May 2022 18:43:52 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/598551#M10806 woodcock 2022-05-19T18:43:52Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/598553#M10807 <P>They are stored as `eventtypes`.&nbsp; Search for "notable_suppression".</P> Thu, 19 May 2022 18:44:38 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/598553#M10807 woodcock 2022-05-19T18:44:38Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/654958#M11665 <P>See my answer.&nbsp; The accepted answer is useless.</P> Sat, 19 Aug 2023 14:16:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/654958#M11665 woodcock 2023-08-19T14:16:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/699850#M12085 <P>This is the right answer</P> Mon, 23 Sep 2024 14:10:01 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-are-Noteable-Event-Suppressions-stored-in-Splunk/m-p/699850#M12085 sarcome 2024-09-23T14:10:01Z