Splunk Enterprise Security

Hide specific notables from IR (Incident review) in ES

splunkreal
Motivator

Hello, we would like to filter ES incident review and hide notables with TEST keyword by example, how to do? Thanks for your help

* If this helps, please upvote or accept solution if it solved *
0 Karma
1 Solution

jawahir007
Communicator

Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.

search_name!=*TEST*

jawahir007_0-1729847733395.png

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

View solution in original post

splunkreal
Motivator

Hello @jawahir007 how are you? Found out we can filter by search_title also, where can we find list of IR fields? Thanks for your help!

* If this helps, please upvote or accept solution if it solved *
0 Karma

jawahir007
Communicator

You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details.

https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Customizenotables#Create_and_manage_notable_eve...

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
0 Karma

splunkreal
Motivator

Hi @jawahir007  we don't want to suppress them just hide them based on saved filter.

* If this helps, please upvote or accept solution if it solved *
0 Karma

jawahir007
Communicator

Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.

search_name!=*TEST*

jawahir007_0-1729847733395.png

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

splunkreal
Motivator

Great thanks, it works with classic IR view 🙂

* If this helps, please upvote or accept solution if it solved *

gargantua
Path Finder

I've done this little app in order to adress this specific use case :

https://github.com/kilanmundera/Custom-Annotations-Framework-for-Splunk-Enterprise-Security

0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...