Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Suppress Notable Event during certain time slot

jacqu3sy
Path Finder
‎08-17-2017 04:03 AM

Is it possible to suppress notable events in Enterprise Security during a specific time window?

i.e. when a server gets rebooted during a specific maintenance window that is the same time every day?

Tags (1)
Reply

Unister
Explorer
‎10-19-2018 06:40 AM

The python variable DEFAULT_DROPEXP contains fieldnames to delete when creating a notable event. As it contains date_*, you cannot directly use the date in a notable event suppression. But if you add 

| rename date_hour as orig_date_hour, date_minute as orig_date_minute, date_wday as orig_date_wday

to the end of your correlation search, you can use the renamed fields in the notable event suppression:

`get_notable_index` orig_host=YOURHOST orig_date_hour=6 orig_date_minute>=25
0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-19-2018 03:32 AM

Yes

Take a look at this docs page:
http://docs.splunk.com/Documentation/ES/4.7.4/Admin/Customizenotables#Create_and_manage_notable_even...

j

0 Karma
Reply

Unister
Explorer
‎10-19-2018 12:30 AM

the linked page only shows how to set an Expiration Time. The author wants to suppress eventX between 03:00 and 03:59 every day. I had done this with date_hour in my event_suppression.

On a new installation this does not work anymore because the field date_hour is not added to notable events anymore...

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...