Splunk Enterprise Security

Notable Event Suppression where field is NULL?


Trying to create an ES Notable Event Suppression where the user value is null.
A direct search:

`get_notable_index`  | where isnull(user)

Gets me the events I would like to suppress.

If I try to create a notable event suppression within the incident review/eventtypes search, I get:

Message: Eventtype search string cannot be a search pipeline or contain a subsearch.

Is there any other way to do this?

Labels (1)
0 Karma


Just like the error message suggests. event suppression are just simple eventtypes in the form of notable_suppression-. And you can't use pipelines in eventtypes search.
You can simply use NOT(user).

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.