Splunk Enterprise Security

Splunk Enterprise Security 3.3.1: Notable Event Suppression "The provided search is not valid"

kmanson
Path Finder

I am trying to suppress an event "Account Deleted" and receiving the error "The provided search is not valid" when trying to save the suppression. This search works in a normal search window.

index=notable source="Access - Account Deleted - Rule" _time>=1445961951 src_user="svc-udaadm" | regex user="\d{9}"

In another suppression I get the same error with this search, once again works in a normal search window.

index=notable source="Threat - Threat List Activity - Rule" threat_match_field="dest" threat_group=iblocklist_logmein _time>=1445984423 [| inputlookup whitelisted_logmein.csv | rename whitelisted_logmein as src | fields + src]

Splunk 6.3.0 with ES 3.3.1

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'm pretty sure notable event suppressions follow the same rules as eventtypes - no subsearches, no pipes.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I'm pretty sure notable event suppressions follow the same rules as eventtypes - no subsearches, no pipes.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!