Solved: Splunk Enterprise Security 3.3.1: Notable Event Su...

kmanson · ‎10-30-2015

I am trying to suppress an event "Account Deleted" and receiving the error "The provided search is not valid" when trying to save the suppression. This search works in a normal search window.

index=notable source="Access - Account Deleted - Rule" _time>=1445961951 src_user="svc-udaadm" | regex user="\d{9}"

In another suppression I get the same error with this search, once again works in a normal search window.

index=notable source="Threat - Threat List Activity - Rule" threat_match_field="dest" threat_group=iblocklist_logmein _time>=1445984423 [| inputlookup whitelisted_logmein.csv | rename whitelisted_logmein as src | fields + src]

Splunk 6.3.0 with ES 3.3.1

martin_mueller · ‎10-31-2015

I'm pretty sure notable event suppressions follow the same rules as eventtypes - no subsearches, no pipes.

View solution in original post

martin_mueller · ‎10-31-2015

I'm pretty sure notable event suppressions follow the same rules as eventtypes - no subsearches, no pipes.

Splunk Enterprise Security 3.3.1: Notable Event Suppression "The provided search is not valid"

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?