Archive

Splunk ES - Notification when a suppression is created

Builder

Hello,

Is there a way to get a RSS or email notification when a new notable suppression is created or enabled in ES?

0 Karma

Path Finder

You can create an alert and send an email for the following:

index=_internal sourcetype=notable_event_suppression:rest_handler "SuppressionAudit" action=create.

I know this is an old question, but have been doing some research lately myself and came upon this :). It only seems to apply when creating a suppression from ES either through Incident Review workflow action or through Notable Event Suppression page under Content Management --> Incident Review (I believe - working from memory presently).

Path Finder

You can create an alert to periodically run that monitors for new suppression. That would be the fastest way.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!