topic Suppression in Es by applying time limit in Splunk Search

Suppression in Es by applying time limit

fahimeh — Tue, 27 Aug 2024 07:30:28 GMT

Hello,

I want to write a suppression in Splunk ES that suppresses an event if a specific process occurs at 11 AM every day. This limitation should be applied to the raw logs because the ES rules execute within a specific time cycle and create notable events. My goal is to suppress the event when the rule runs, but only if the specific process exists at 11 AM.

How can I apply this time constraint in the suppression? Can I do this through the search I write? How?

How can I implement this time constraint on raw data? I need to limit the time in the raw event.

Re: Suppression in Es by applying time limit

gcusello — Tue, 27 Aug 2024 07:48:57 GMT

Hi @fahimeh ,

a suppression rule is a search that you can build as you need, containing also the time rules.

Ciao.

Giuseppe

Re: Suppression in Es by applying time limit

fahimeh — Tue, 27 Aug 2024 12:32:47 GMT

Thank you for your reply

Which time rules can I use in a search? Most time-related commands include | (like eval).

Re: Suppression in Es by applying time limit

gcusello — Tue, 27 Aug 2024 12:59:06 GMT

Hi @fahimeh ,

use the rule you need, e.g. if the haour cannot be 11 AM, you can insert in your search time_hour|=11.

It depends on your requirements.

Ciao.

Giuseppe

Re: Suppression in Es by applying time limit

fahimeh — Tue, 27 Aug 2024 13:06:58 GMT

thank you🌸
I will test and tell you exactly how it worked.

Re: Suppression in Es by applying time limit

gcusello — Tue, 27 Aug 2024 13:15:01 GMT

Hi @fahimeh ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉