Splunk Enterprise Security

Splunk Enterprise Security 3.3.1: Notable Event Suppression "The provided search is not valid"

kmanson
Path Finder

I am trying to suppress an event "Account Deleted" and receiving the error "The provided search is not valid" when trying to save the suppression. This search works in a normal search window.

index=notable source="Access - Account Deleted - Rule" _time>=1445961951 src_user="svc-udaadm" | regex user="\d{9}"

In another suppression I get the same error with this search, once again works in a normal search window.

index=notable source="Threat - Threat List Activity - Rule" threat_match_field="dest" threat_group=iblocklist_logmein _time>=1445984423 [| inputlookup whitelisted_logmein.csv | rename whitelisted_logmein as src | fields + src]

Splunk 6.3.0 with ES 3.3.1

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'm pretty sure notable event suppressions follow the same rules as eventtypes - no subsearches, no pipes.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I'm pretty sure notable event suppressions follow the same rules as eventtypes - no subsearches, no pipes.

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...