Splunk Dev

Suppress Notable Event during certain time slot

jacqu3sy
Path Finder

Is it possible to suppress notable events in Enterprise Security during a specific time window?

i.e. when a server gets rebooted during a specific maintenance window that is the same time every day?

Tags (1)

Unister
Explorer

The python variable DEFAULT_DROPEXP contains fieldnames to delete when creating a notable event. As it contains date_*, you cannot directly use the date in a notable event suppression. But if you add

| rename date_hour as orig_date_hour, date_minute as orig_date_minute, date_wday as orig_date_wday

to the end of your correlation search, you can use the renamed fields in the notable event suppression:

`get_notable_index` orig_host=YOURHOST orig_date_hour=6 orig_date_minute>=25
0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee
0 Karma

Unister
Explorer

the linked page only shows how to set an Expiration Time. The author wants to suppress eventX between 03:00 and 03:59 every day. I had done this with date_hour in my event_suppression.

On a new installation this does not work anymore because the field date_hour is not added to notable events anymore...

0 Karma
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...