Splunk Enterprise Security

Create event type as alert action

Path Finder

Splunk Enterprise Security uses "event types" as a means to suppress future alerting on a set of field values. We like this feature, but I want users to be able to add a new suppression without having to log into Splunk directly. We are setting up a Slack bot that will post user responses to a specific index in Splunk - I want to create an automated process by which the data submitted by a user can be found and create a suppression event type in Splunk.

I was hoping to be able to create eventtypes in Splunk using the rest command, but since realized that only allows GET requests - I've looked around for a "eventtype" alert action, but there isn't one that I can find. I really don't want to have write a custom script for this, but it's looking like that might be the fix.

I am looking to see if anyone has implemented anything along these lines (we can't be the only ones that don't want to have to login to ES everytime we put in a suppression!) and how it was done. Or if anyone has any creative ideas for automation around creating eventtypes in Splunk.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!