Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security - Notable limit

astatrial
Contributor
‎05-31-2021 07:57 AM

Hi all,

I have Splunk ES, with a bunch of rules.

The issue is that correlation rules generate notables for each result, which sometimes cause to a flood of notable alerts. In cases when a new wide and legitimate activity is detected (and wasn't excluded yet from the rule), tons of alerts are being created.

I look for a way to limit the number of notables alerts that each rule can generate, but to do it general, for all the rules, without manually modifying each rule.

Is this possible?

 

Example:

Name of rule: Test rule

Number of results: 500

Notable alerts: 20

 

Thanks 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...