Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Managing exceptions from within splunk

wsw70
Communicator
‎06-21-2012 07:55 AM

Hello,

I have a search which returns results, of which some are "false positives" which should not appear in the results. They need to be handled manually (in the sense that they would appear once, someone would check something and then come back with the confirmation that e.g. a given machine is OK, even though it appeared in the search).

I am wondering which way would be easiest for users to maintain such a list of false positives.

  • ideally I would like them to do this without quitting splunk
  • I was thinking about a plain text file with the names of the machines which would be looked up. If it can be accessed via splunk that could be OK, otherwise it gets tough (they would need to have ssh access to the server yada yada yada)
  • or maybe something else?

This solution need to be persistent in the sense that new data will be fed into splunk, containing these false positives, which should not reappear (what I mean is that they cannot be simply deleted, or otherwise hidden on a per-event basis).

Thanks for any ideas!

Tags (2)
Reply

woodcock
Esteemed Legend
‎07-07-2015 08:20 AM

This is very easy to do with a lookup file and a subsearch like this:

mySearch NOT [|inputlookup myLookupFile]

You then modify your lookup file as you get new false positives. You need to make sure that you name the columns the same as the fields in your data.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
li.common.scroll-to.top