Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Managing exceptions from within splunk

wsw70
Communicator
‎06-21-2012 07:55 AM

Hello,

I have a search which returns results, of which some are "false positives" which should not appear in the results. They need to be handled manually (in the sense that they would appear once, someone would check something and then come back with the confirmation that e.g. a given machine is OK, even though it appeared in the search).

I am wondering which way would be easiest for users to maintain such a list of false positives.

  • ideally I would like them to do this without quitting splunk
  • I was thinking about a plain text file with the names of the machines which would be looked up. If it can be accessed via splunk that could be OK, otherwise it gets tough (they would need to have ssh access to the server yada yada yada)
  • or maybe something else?

This solution need to be persistent in the sense that new data will be fed into splunk, containing these false positives, which should not reappear (what I mean is that they cannot be simply deleted, or otherwise hidden on a per-event basis).

Thanks for any ideas!

Tags (2)
Reply

woodcock
Esteemed Legend
‎07-07-2015 08:20 AM

This is very easy to do with a lookup file and a subsearch like this:

mySearch NOT [|inputlookup myLookupFile]

You then modify your lookup file as you get new false positives. You need to make sure that you name the columns the same as the fields in your data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...