Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Managing exceptions from within splunk

wsw70
Communicator
‎06-21-2012 07:55 AM

Hello,

I have a search which returns results, of which some are "false positives" which should not appear in the results. They need to be handled manually (in the sense that they would appear once, someone would check something and then come back with the confirmation that e.g. a given machine is OK, even though it appeared in the search).

I am wondering which way would be easiest for users to maintain such a list of false positives.

  • ideally I would like them to do this without quitting splunk
  • I was thinking about a plain text file with the names of the machines which would be looked up. If it can be accessed via splunk that could be OK, otherwise it gets tough (they would need to have ssh access to the server yada yada yada)
  • or maybe something else?

This solution need to be persistent in the sense that new data will be fed into splunk, containing these false positives, which should not reappear (what I mean is that they cannot be simply deleted, or otherwise hidden on a per-event basis).

Thanks for any ideas!

Tags (2)
Reply

woodcock
Esteemed Legend
‎07-07-2015 08:20 AM

This is very easy to do with a lookup file and a subsearch like this:

mySearch NOT [|inputlookup myLookupFile]

You then modify your lookup file as you get new false positives. You need to make sure that you name the columns the same as the fields in your data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...