Solved: Is there an easy way to close out 150K+ incident e...

jcoquico · ‎01-29-2013

We have recently installed ES for Splunk and have over 150K+ incidents that I want to close that were opened prior to tuning the correlation searches. Does any one know of an 'easy' way to do this besides editing them through the Incident Review page?

LukeMurphey · ‎02-01-2013

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

Open the ES Configuation page and open "Notable Event Suppressions"
Click "new" to make a new one
Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
_time >= 0: this defines start of the time range that the suppression applies to
_time < 1359784000: this defines end of the time range that the suppression applies to

View solution in original post

LukeMurphey · ‎02-01-2013

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

Open the ES Configuation page and open "Notable Event Suppressions"
Click "new" to make a new one
Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
_time >= 0: this defines start of the time range that the suppression applies to
_time < 1359784000: this defines end of the time range that the suppression applies to

Is there an easy way to close out 150K+ incident events?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms