Where to enter source code to remove host from Das...

Ted1621 · ‎09-21-2022

I have one host that I want to remove from all my premade dashboards in the Splunk App for AWS Security Dashboards. Can someone tell me where I would enter this in the source code for the Dashboard so that it always excludes this host?

Ted1621 · ‎09-21-2022

Thank you @andrew_nelson ! Is there a way that I could just add an "text" input in the dashboard that says src_ip!=10.0.0.1? I think this is a more scalable way since I have other apps that I would want to exclude the host from as well.

andrew_nelson · ‎09-21-2022

Yeah, if you have Edit permissions on the dashboards, you can add src_ip!=10.0.0.1 into the searches.

It could be a lot of work depending on how the dashboard panels are configured. If the dashboard uses a base search, it will be quick enough to do that dashboard. If the dashboard doesn't have a base search, you'll have to edit every single panel.

andrew_nelson · ‎09-21-2022

Take a look the the macros that come with the app. Settings > Advanced Search > Search Macros
You'll find some index macros like `aws-security-cloudtrail-index`, `aws-security-config-index` etc. that are used to specify the data used throughout the app.

You can edit these to to add host!="hostabc" and the host should be removed.

Where to enter source code to remove host from Dashboard?

token

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?