Re: Managing exceptions from within splunk

wsw70 · ‎06-21-2012

Hello,

I have a search which returns results, of which some are "false positives" which should not appear in the results. They need to be handled manually (in the sense that they would appear once, someone would check something and then come back with the confirmation that e.g. a given machine is OK, even though it appeared in the search).

I am wondering which way would be easiest for users to maintain such a list of false positives.

ideally I would like them to do this without quitting splunk
I was thinking about a plain text file with the names of the machines which would be looked up. If it can be accessed via splunk that could be OK, otherwise it gets tough (they would need to have ssh access to the server yada yada yada)
or maybe something else?

This solution need to be persistent in the sense that new data will be fed into splunk, containing these false positives, which should not reappear (what I mean is that they cannot be simply deleted, or otherwise hidden on a per-event basis).

Thanks for any ideas!

woodcock · ‎07-07-2015

This is very easy to do with a lookup file and a subsearch like this:

mySearch NOT [|inputlookup myLookupFile]

You then modify your lookup file as you get new false positives. You need to make sure that you name the columns the same as the fields in your data.

Managing exceptions from within splunk

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!