Splunk Enterprise Security

Create event type as alert action

hcannon
Path Finder

Splunk Enterprise Security uses "event types" as a means to suppress future alerting on a set of field values. We like this feature, but I want users to be able to add a new suppression without having to log into Splunk directly. We are setting up a Slack bot that will post user responses to a specific index in Splunk - I want to create an automated process by which the data submitted by a user can be found and create a suppression event type in Splunk.

I was hoping to be able to create eventtypes in Splunk using the rest command, but since realized that only allows GET requests - I've looked around for a "eventtype" alert action, but there isn't one that I can find. I really don't want to have write a custom script for this, but it's looking like that might be the fix.

I am looking to see if anyone has implemented anything along these lines (we can't be the only ones that don't want to have to login to ES everytime we put in a suppression!) and how it was done. Or if anyone has any creative ideas for automation around creating eventtypes in Splunk.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.