Splunk Enterprise Security - Notable limit


Hi all,

I have Splunk ES, with a bunch of rules.

The issue is that correlation rules generate notables for each result, which sometimes cause to a flood of notable alerts. In cases when a new wide and legitimate activity is detected (and wasn't excluded yet from the rule), tons of alerts are being created.

I look for a way to limit the number of notables alerts that each rule can generate, but to do it general, for all the rules, without manually modifying each rule.

Is this possible?



Name of rule: Test rule

Number of results: 500

Notable alerts: 20



Labels (1)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...