Closing Notable Events - Set Close Datetime

gbam · ‎01-24-2024

I'm looking to close out (or delete) all notable events that were created prior to a specific date time. The way they're trying to run reports, it is easier to delete them or close them than it would be to filter them from the reports. Is there a way to use an eval query (or similar) or would it be best to use the API to close them? Or am I SOL and I need to filter from the dashboard / report query level?

datadevops · ‎01-28-2024

Hi there,

Eval Query for Limited Use:

While eval queries can modify certain fields, unfortunately, deleting or closing notable events directly isn't possible with them.

API Offers More Power:

The Splunk Search API is your best bet for bulk actions like closing or deleting events. You can leverage the delete or set endpoints to achieve your goal.

Filtering Still an Option:

If using the API feels daunting, consider refining your dashboard/report queries to exclude events before the specific date. Filtering might be less efficient for massive datasets, but it's a reliable route.

Remember:

Deleting is permanent, closing retains some data. Choose wisely!
Test your approach on a small sample before applying to all events.
Consult Splunk documentation for detailed API usage: <invalid URL removed>

~ If the reply helps, a Karma upvote would be appreciated

Closing Notable Events - Set Close Datetime

administration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?