Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk - Enterprise Security - Disable Splunk Web Messages

SMWickman
Explorer
‎06-19-2018 09:54 AM

How can I selectively disable/suppress Splunk web messages? This one is quite a nuisance and quite obviously a bug of some kind:

Splunk_SA_CIM version 4.11.0 is lower than required 4.9.1
6/19/2018, 12:46:13 PM

It's starting to get a bit annoying clearing it over and over. 4.11.0 is obviously a higher version than 4.9.1 but I presume whatever is driving this message is only reading to 4.1* and interpreting that as a lower version.

Any help here would be hugely helpful!

Reply

darrenfuller
Contributor
‎06-19-2018 10:09 AM

If you are looking to get rid of those messages altogether, you could use props / transforms to get rid of those events at index time... 

#props.conf 

[sourcetype-of-annoying-event]
TRANSFORMS-get_rid_of_annoying_messages = shred_useless_cim_events


#transforms.conf

[shred_useless_cim_events]
SOURCE_KEY = _raw
DEST_KEY = queue
FORMAT = nullQueue
REGEX = Splunk_SA_CIM\sversion\s4\.11\.0\sis\slower\sthan\srequired\s4\.9\.1

... These would need to be put on your indexers and / or heavy forwarders, depending on how data is coming into Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...