Splunk Enterprise Security

Is there an easy way to close out 150K+ incident events?

jcoquico
Engager

We have recently installed ES for Splunk and have over 150K+ incidents that I want to close that were opened prior to tuning the correlation searches. Does any one know of an 'easy' way to do this besides editing them through the Incident Review page?

1 Solution

LukeMurphey
Champion

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

  1. Open the ES Configuation page and open "Notable Event Suppressions"
  2. Click "new" to make a new one
  3. Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
  4. By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

  • index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
  • _time >= 0: this defines start of the time range that the suppression applies to
  • _time < 1359784000: this defines end of the time range that the suppression applies to

View solution in original post

LukeMurphey
Champion

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

  1. Open the ES Configuation page and open "Notable Event Suppressions"
  2. Click "new" to make a new one
  3. Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
  4. By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

  • index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
  • _time >= 0: this defines start of the time range that the suppression applies to
  • _time < 1359784000: this defines end of the time range that the suppression applies to
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...