Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise Security
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Is there an easy way to close out 150K+ incident e...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcoquico
Engager
01-29-2013
02:13 PM
We have recently installed ES for Splunk and have over 150K+ incidents that I want to close that were opened prior to tuning the correlation searches. Does any one know of an 'easy' way to do this besides editing them through the Incident Review page?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LukeMurphey
Champion
02-01-2013
10:55 AM
There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.
Below are directions:
- Open the ES Configuation page and open "Notable Event Suppressions"
- Click "new" to make a new one
- Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
- By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"
Here are some notes on the contents of the search:
- index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
- _time >= 0: this defines start of the time range that the suppression applies to
- _time < 1359784000: this defines end of the time range that the suppression applies to
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LukeMurphey
Champion
02-01-2013
10:55 AM
There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.
Below are directions:
- Open the ES Configuation page and open "Notable Event Suppressions"
- Click "new" to make a new one
- Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
- By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"
Here are some notes on the contents of the search:
- index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
- _time >= 0: this defines start of the time range that the suppression applies to
- _time < 1359784000: this defines end of the time range that the suppression applies to
Get Updates on the Splunk Community!
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...
