Splunk Enterprise Security

Is there an easy way to close out 150K+ incident events?

jcoquico
Engager

We have recently installed ES for Splunk and have over 150K+ incidents that I want to close that were opened prior to tuning the correlation searches. Does any one know of an 'easy' way to do this besides editing them through the Incident Review page?

1 Solution

LukeMurphey
Champion

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

  1. Open the ES Configuation page and open "Notable Event Suppressions"
  2. Click "new" to make a new one
  3. Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
  4. By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

  • index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
  • _time >= 0: this defines start of the time range that the suppression applies to
  • _time < 1359784000: this defines end of the time range that the suppression applies to

View solution in original post

LukeMurphey
Champion

There is a couple ways to do this but the best is probably to use a suppression rule. The nice thing about suppressions is that you apply to all matching events and you can easily modify the suppression to reverse the effects if if doesn't work the way that you hoped.

Below are directions:

  1. Open the ES Configuation page and open "Notable Event Suppressions"
  2. Click "new" to make a new one
  3. Create the suppression with a search that matches the events you want to suppress. If you want to suppress all of them, them make the search something simply "index=notable". Make sure to set an expiration date, otherwise, your notable events will all be hidden. Save the suppression once you are done.
  4. By default, the suppression does not apply retro-actively. However, you can change this by editing the suppression. Click the suppression to edit it and set the time appropriately. Since you have a new installation, you may just want to set the time such that it matches all events before the current time. This can be done by editing the part of the search with "_time>=" to something like "index=notable _time<1359784000 _time>=0"

Here are some notes on the contents of the search:

  • index=notable: this needs to be present in all of the suppressions so that the associated eventtype matches notable events
  • _time >= 0: this defines start of the time range that the suppression applies to
  • _time < 1359784000: this defines end of the time range that the suppression applies to
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...