https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/666006#M11763 <P>That's not really a Splunk or ES-related question. It's related to your data and your use-cases. If you filter out some data, you don't have it. And if you don't have events, you can't base your searches (and thus use-cases) on them. As simple as that.</P><P>It's more a windows-related question to your admins to help you review the use cases you want to enable.</P> Tue, 24 Oct 2023 14:10:33 GMT PickleRick 2023-10-24T14:10:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/665875#M11760 <P>Hi,<BR /><BR />I'm trying to reduce the noise out of these EventCodes which we can exclude in the enterprise security point of view.<BR />Below are my stats of EventCodes, Could any one pls guide me in this&nbsp;<BR /><BR />EventCode count<BR />4624 25714108<BR />4799 12271228<BR />5140 4180598<BR />4672 2896823<BR />4769 2871064<BR />4776 2177516<BR />4798 1771003<BR />4768 1149826<BR />4662 919694<BR />4793 667396<BR />4627 428382<BR />4771 344400<BR />4702 261942<BR />4625 229393<BR />4698 131404<BR />4699 107254<BR />5059 92679<BR />4611 86837<BR />5379 74950<BR />4735 55988<BR />4770 31850<BR />4946 31586<BR />4719 30067<BR />4688 27561<BR />4948 26952<BR />4945 19959<BR />4648 17191<BR />4825 17016<BR />4697 13155<BR />6416 6977<BR /><BR />Thanks</P> Mon, 23 Oct 2023 15:47:52 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/665875#M11760 AL3Z 2023-10-23T15:47:52Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/665896#M11761 <P>Please give us your definition of "noise".</P><P>Do none of your other questions on the same topic address this, too?</P><P>Have you considered using Ingest Actions to avoid indexing unwanted data?&nbsp; See <A href="https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_in_Splunk_Enterprise" target="_blank">https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_in_Splunk_Enterprise </A>and <A href="https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/DataIngest" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/DataIngest</A></P> Mon, 23 Oct 2023 16:55:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/665896#M11761 richgalloway 2023-10-23T16:55:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/665925#M11762 <P>There are a number of event codes that have static descriptions of the event in each iteration of the event. This page shows how to trim off the event descriptions on ingest. This can save a lot of data.</P><P><A href="https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration" target="_blank">https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration</A></P> Mon, 23 Oct 2023 21:30:46 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/665925#M11762 fredclown 2023-10-23T21:30:46Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/666006#M11763 <P>That's not really a Splunk or ES-related question. It's related to your data and your use-cases. If you filter out some data, you don't have it. And if you don't have events, you can't base your searches (and thus use-cases) on them. As simple as that.</P><P>It's more a windows-related question to your admins to help you review the use cases you want to enable.</P> Tue, 24 Oct 2023 14:10:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/666006#M11763 PickleRick 2023-10-24T14:10:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/666113#M11764 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/146503">@fredclown</a>&nbsp;,<BR /><BR /></P><P>It will be there by default, no need of defining again !<BR /><BR /></P> Wed, 25 Oct 2023 09:59:08 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/666113#M11764 AL3Z 2023-10-25T09:59:08Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/666193#M11768 <P>The event code description trimming is not turned on by default. You need to specifically turn it on in a local props.conf.</P> Wed, 25 Oct 2023 16:05:19 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Reduce-the-noise-out-of-Security-EventCodes/m-p/666193#M11768 fredclown 2023-10-25T16:05:19Z