Trying to create an ES Notable Event Suppression where the user value is null.
A direct search:
`get_notable_index` | where isnull(user)
Gets me the events I would like to suppress.
If I try to create a notable event suppression within the incident review/eventtypes search, I get:
Message: Eventtype search string cannot be a search pipeline or contain a subsearch.
Is there any other way to do this?
Just like the error message suggests. event suppression are just simple eventtypes in the form of notable_suppression-. And you can't use pipelines in eventtypes search.
You can simply use NOT(user).