Hello All !,

Kindly help me to find a solution for this.

I need to whitelist the list of hosts ( the host count is >1220 and may add further) from all alerts. 

Field name for host is varying as per correlation search. I have been trying the below options for somedays:

1. Upload the list as Lookup table and whitelist through lookup in all correlation rule (which will cause retroactive alerts)

2. Suppression Rule - Since the host field name is different for each rule, i need to write the suppression rule for each correlation rule.

3. Single Suppression rule - Am not clear how to get the values of hosts in all correlation searches and map into a single field, and then search the values.

Currently am trying to write a query to get the host values from `notable` and compare the values. 

`notable` | fillnull value=0 Hostname,dest_host,nt_host,Computer_Name | eval whitelist_host=if(Hostname!=NULL, Hostname, if(dest_host!=NULL, dest_host, if(nt_host!=NULL, nt_host,Computer_Name))) | table whitelist_host search_name Hostname dest_host nt_host Computer_Name | dedup whitelist_host

`notable` | eval gifted_host=coalesce(coalesce(Hostname,dest_host),nt_host) | table gifted_host | dedup gifted_host

Please let me know for any suggestions or if we have any other option.