Splunk Enterprise Security - Notable limit


Hi all,

I have Splunk ES, with a bunch of rules.

The issue is that correlation rules generate notables for each result, which sometimes cause to a flood of notable alerts. In cases when a new wide and legitimate activity is detected (and wasn't excluded yet from the rule), tons of alerts are being created.

I look for a way to limit the number of notables alerts that each rule can generate, but to do it general, for all the rules, without manually modifying each rule.

Is this possible?



Name of rule: Test rule

Number of results: 500

Notable alerts: 20



Labels (1)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...